Deploying OpenVPN Service

This image only ensures basic functionality works correctly. If you have the ability to configure it yourself, it’s recommended to set up your own or refer to the implementation method of this image to complete it. Before using, you need to have basics in Linux and Docker. This image has been tested on Debian 9. What is described here is how to use it on Debian 9, which generally can be applied to other systems such as Ubuntu. The default port for this service is 1190/UDP, please ensure this rule is allowed in your firewall.

Preparation

You also need to make the following modifications on your server. Execute the command:

echo net.ipv4.ip_forward=1 >>/etc/sysctl.conf
sysctl -p

If your server has installed ufw, you also need to write the following content in the first few lines of /etc/ufw/before.rules. The eth0 and network segment here should be modified according to your actual server interface and configuration. Note that it should be added before the *filter rules (if any).

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.27.27.0/24 -o eth0 -j MASQUERADE
COMMIT

Modify the following configuration in /etc/default/ufw to ACCEPT.

DEFAULT_FORWARD_POLICY="ACCEPT"

Finally, execute the following command to restart the ufw firewall service on the server.

ufw reload

If your server does not have ufw installed, please ensure the FORWARD rule of iptables is ACCEPT. Execute the following command.

Attention

You may need to reapply this rule after the server restarts. It is recommended to install ufw.

iptables -P FORWARD ACCEPT

Initialize Configuration

Now, let’s create a directory to save our OpenVPN service configuration:

mkdir -p ~/lamda-openvpn-server

Next, execute the following command to initialize the OpenVPN service:

docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-server-new

Wait for the command to finish executing. Now you can see the service configuration in the ~/lamda-openvpn-server directory. The configuration file is config.ovpn. You can open this file with an editor. It is recommended to only modify the following fields:

# VPN network segment and mask
server 172.27.27.0 255.255.255.0
# VPN service port
port 1190

# Or if you need a network interface on the server to be accessible by VPN clients
# You can also add a route, but note that at this time you can only access the current host's IP in this network segment
# If you need full access to this network segment for clients, you need additional settings
push "route 192.168.68.0 255.255.255.0"

# Change 114 to your desired DNS server
push "dhcp-option DNS 114.114.114.114"

Create Client Connection Credentials

After editing, now let’s create a client. myname can be changed to whatever you want, but it cannot be repeated:

docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-new myname

After creation, use the following command to get the login credentials for this client:

# Note: The IP in the configuration is automatically obtained from the current public network IP, if it's not correct, you need to modify it yourself
#
# Generate ovpn configuration, and redirect save to file myname.ovpn, this file can be used for apps like OpenVPN-Connect
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-profile ovpn myname >myname.ovpn
# Generate OpenVPNProfile used by lamda, which can be used directly in lamda
# It contains a properties.local comment section, you can copy the openvpn.* configuration
# to /data/usr/properties.local to automatically connect to VPN
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-profile lamda myname

Revoke Client Credentials

If you need to revoke a client’s credentials, execute the following command. After revocation, you may need to restart the OpenVPN service:

docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-revoke myname

Start OpenVPN Service

Now you can execute the following command to start the OpenVPN service in the foreground. You can directly see the client connection logs and troubleshoot errors:

docker run -it --rm --name openvpn-server --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn run

When you confirm everything is correct, it is recommended to run it in the background. Use this command to start the service in the background:

docker run -d --rm --name openvpn-server --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn run

Reference Documentation

Basic documentation: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Routing settings: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting