Hello, Khabrovites! Have you ever faced a situation where you would really like to be transported virtually to another city, country or continent? I have such a need quite often, so the ability to have my own VPN server that can be launched anywhere, in a couple of seconds, was quite acute. In this article I want to talk about my project, which I conceived when I was looking for a ready-made solution, in this case docker an image that would allow you to quickly raise an OpenVPN server, with a minimum of settings and an acceptable level of security.
prehistory
The ability to run a service on any machineβbe it a physical server, or a virtual private server, or even container space inside another container management systemβwas critical. My eyes immediately fell on Docker. Firstly, this service is gaining popularity, and therefore, more and more providers provide ready-made solutions with its pre-installation; secondly, there is a centralized repository of images from where you can download and run the service with a single command in the terminal. The thought that such a project should already exist visited me and I searched hard. But, most of the projects that I found were either too cumbersome (it was necessary to create a container for persistent data storage and run the container with the application several times with different parameters), or without sane documentation, or completely abandoned. Having found nothing acceptable, I started work on your project. There were sleepless nights of studying documentation, writing code and debugging ahead, but in the end, my service saw the light of day and played with all the colors of the router's monochrome LED panel. So, I ask you to love and favor - . I even came up with a logo (above, before the cut), but donβt judge it strictly, because Iβm not a designer (already). When I implemented this project, I put deployment speed, a minimum of settings and an acceptable level of security at the forefront. Through trial and error, I found the optimal balance of these criteria, however, in some places I had to sacrifice deployment speed for the sake of security, and portability had to be paid for a minimum of settings: in the current configuration, once created a container on one server cannot be transferred and run on another. For example, all client and server certificates are generated when the service is started and it takes about 2 seconds. However, the generation of the Defi Hellman file had to be moved to build time: it is created during the build of the docker image and can take up to 10 minutes. I would really like to receive a security audit of such a solution from a highly respected community.
Release
To start the service, we need a few things:
- Server: physical or virtual. It is theoretically possible to run in docker-in-docker mode, but I haven't tested this option extensively;
- Actually Docker. Many hosting providers provide turnkey solutions with Docker "on board";
- Public IP address.
If all the details are in place, then all we have to do is run the following command in the console of your server:
docker run --cap-add=NET_ADMIN
-it -p 1194:1194/udp -p 80:8080/tcp
-e HOST_ADDR=$(curl -s https://api.ipify.org)
alekslitvinenk/openvpnAn attentive reader might have noticed that the IP address of the server is determined automatically using ipify.org. If for some reason this does not work, then you can specify the address manually. If all the previous steps were performed correctly, then we should see something similar in the console:
Sun Jun 9 08:56:11 2019 Initialization Sequence Completed
Sun Jun 9 08:56:12 2019 Client.ovpn file has been generated
Sun Jun 9 08:56:12 2019 Config server started, download your client.ovpn config at http://example.com/
Sun Jun 9 08:56:12 2019 NOTE: After you download you client config, http server will be shut down!We are close to the goal: now we need to copy (in your case it will be the address of your server) and paste it into the address bar of the browser. After you press Enter, the client.ovpn file will be downloaded, and the http server itself will go into oblivion. If this decision is in doubt, then you can use the following trick: run the previous command and add flags zp and password. Now, if you paste the generated link into a browser window, you will receive a zip archive with a password. When you have a file with a client configuration, you can use any suitable client. I use Tunnelblick for Mac.
Video tutorial
This video tutorial contains detailed instructions for deploying the service on DigitalOcean.
EDIT1:
- Fixed posting errors
- Responding to comments, I decided to put this information here: the --privileged flag is needed to work with iptables
EDIT2:
- Improved the image launch command: now it does not require the --privileged flag
- Added a link to the Russian-language video guide:
Source: habr.com