Deploying OpenVPN Service¶

This image only ensures that the basic functionality is correct. If you have the ability to configure it yourself, it is recommended to build it on your own or refer to the implementation method of this image. Before use, you need to have a basic understanding of Linux and Docker. This image has been tested on Debian 9. This guide explains how to use it on Debian 9, which generally applies to other systems like Ubuntu. The default port for this service is 1190/UDP. Please ensure that this port is allowed in your firewall rules.

Prerequisites¶

You also need to make the following changes on your server by executing the command:

echo net.ipv4.ip_forward=1 >>/etc/sysctl.conf
sysctl -p

If your server has ufw installed, you also need to add the following content to the first few lines of /etc/ufw/before.rules. Modify eth0 and the network segment according to your actual server interface and configuration. Note that this should be added before the *filter rules (if any).

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.27.27.0/24 -o eth0 -j MASQUERADE
COMMIT

Modify the following configuration in /etc/default/ufw to ACCEPT.

DEFAULT_FORWARD_POLICY="ACCEPT"

Finally, execute the following command to restart the ufw firewall service on your server.

ufw reload

If your server does not have ufw installed, ensure that the iptables FORWARD rule is set to ACCEPT by executing the following command.

Attention

You may need to reapply this rule after the server restarts. It is recommended to install ufw.

iptables -P FORWARD ACCEPT

Initializing the Configuration¶

Now, let's create a directory to store our OpenVPN service configuration:

mkdir -p ~/lamda-openvpn-server

Next, execute the following command to initialize the OpenVPN service:

docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-server-new

After the command finishes, you can find the service configuration in the ~/lamda-openvpn-server directory. The configuration file is config.ovpn. You can open this file with an editor. It is recommended to only modify the following fields.

# VPN network segment and subnet mask
server 172.27.27.0 255.255.255.0
# VPN service port
port 1190

# Or if you need a network interface on the server to be accessible by VPN clients
# You can also add a route, but note that you will only be able to access the IP of the current host in this network segment
# If you need clients to have full access to this network segment, you will need to perform additional setup
push "route 192.168.68.0 255.255.255.0"

# Change 114 to your desired DNS server
push "dhcp-option DNS 114.114.114.114"

Creating Client Connection Credentials¶

After editing, let's create a client. You can change myname to whatever you want, but it must be unique.

docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-new myname

After creation, use the following command to get the login credentials for this client:

# Note: The IP in the configuration is automatically detected as the current public IP. If it's incorrect, you need to modify it manually.
#
# Generate the ovpn configuration and redirect it to a file named myname.ovpn. This file can be used with apps like OpenVPN-Connect.
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-profile ovpn myname >myname.ovpn
# Generate an OpenVPNProfile for lamda, which can be used directly in lamda.
# It contains a commented-out properties.local section. You can copy the openvpn.* configuration from it
# to /data/usr/properties.local to enable automatic VPN connection.
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-profile lamda myname

Revoking Client Credentials¶

If you need to revoke a client's credentials, execute the following command. You may need to restart the OpenVPN service after revocation.

docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-revoke myname

Starting the OpenVPN Service¶

Now you can execute the following command to start the OpenVPN service in the foreground. This allows you to see client connection logs and troubleshoot errors directly.

docker run -it --rm --name openvpn-server --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn run

Once you have confirmed that everything is working correctly, it is recommended to run it in the background. Use this command to start the service in the background.

docker run -d --rm --name openvpn-server --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn run

References¶

Basic Documentation: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Routing and Bridging: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting