Deploying VPN Service¶
This image only ensures basic functionality. If you are capable of configuring it yourself, it is recommended to build your own setup or refer to this image’s implementation. Before use, you should have basic knowledge of Linux and Docker. This image has been tested on Debian 9. This article describes how to use it on Debian 9, and it generally applies to other systems like Ubuntu. The default service port is 1190/UDP; make sure this rule is allowed in your firewall.
Preparations¶
You also need to make the following changes on the server and run these commands:
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p
If your server has ufw installed, add the following content at the beginning of the /etc/ufw/before.rules file. Modify eth0 and the subnet according to your actual server interface and configuration. Note that it should be added before the *filter rules (if any).
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.27.27.0/24 -o eth0 -j MASQUERADE
COMMIT
Change the following setting in /etc/default/ufw to ACCEPT.
DEFAULT_FORWARD_POLICY="ACCEPT"
Finally, reload the ufw rules with the following command:
ufw reload
If your server does not have ufw installed, ensure that iptables' FORWARD policy is ACCEPT and run the following command:
Attention
You may need to re-apply this rule after server reboot; installing ufw is recommended.
iptables -P FORWARD ACCEPT
Initial Configuration¶
Now create a directory to store the OpenVPN service configuration.
mkdir -p ~/lamda-openvpn-server
Next, run the following command to initialize the OpenVPN service:
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-server-new
Wait for the command to finish. Now you can see the service configuration file config.ovpn in the ~/lamda-openvpn-server directory. You can edit this file; it is recommended to change only the following fields:
# VPN subnet and netmask
server 172.27.27.0 255.255.255.0
# VPN service port
port 1190
# If VPN clients need to access a specific network interface on the server, you can add a route.
# Note: In this case the client can only access the host's IP within that subnet,
# full subnet access requires additional setup.
push "route 192.168.68.0 255.255.255.0"
# Change 114.114.114.114 to your desired DNS server address
push "dhcp-option DNS 114.114.114.114"
Creating Client Connection Credentials¶
After editing, create a client. Replace myname with any unique name you prefer.
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-new myname
Once created, obtain the login credentials for this client with the following commands:
# Note: The IP in the configuration is automatically obtained from the current public IP;
# if it is incorrect, modify it manually.
#
# Generate an ovpn configuration and redirect it to a file named myname.ovpn. This file can be used with clients like OpenVPN Connect.
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-profile ovpn myname >myname.ovpn
# Generate an OpenVPNProfile for use with lamda, which can be used directly in lamda.
# The output contains openvpn.* related settings; refer to the service configuration chapter for how to fill them in to achieve automatic VPN connection.
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-profile lamda myname
Revoking Client Credentials¶
If you need to revoke a client credential, run the following command. You may need to restart the OpenVPN service afterward.
docker run -it --rm --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn ovpn-client-revoke myname
Starting the OpenVPN Service¶
Now you can start the OpenVPN service in the foreground to view client connection logs and troubleshoot errors directly.
docker run -it --rm --name openvpn-server --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn run
After confirming everything works, it is recommended to run the service in the background. Use the following command to start it in the background:
docker run -d --rm --name openvpn-server --privileged --net host -v ~/lamda-openvpn-server:/etc/openvpn rev1si0n/openvpn run
Reference Documentation¶
Basic documentation: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
Routing setup: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting