Running Your Own VPN Using Docker

I’ve previously written about running your own VPN using a very low end tiny VPS. That post worked well for OpenVZ “tiny” virtual machines, but was not very portable.

Using Docker and OpenVPN it’s even easier. Here are four scripts that setup a VPN, start it, and generate credentials for a user.

First, let’s start the OpenVPN docker image and begin the initial configuration. You’ll need to set your hostname (that you’ll connect to the VPN server) in the script and you’ll be prompted to set some initial passphrases for the certificate. At this stage, remember to change your DNS zone to map your chosen hostname to the IP address of your box.

#!/bin/bash
OVPN_DATA="ovpn-data-cjc"

docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.YOURHOSTNAMEHERE.com
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki

Next, start the OpenVPN container that we just configured. If you are running a firewall on your host, remember to allow port 1194 through!

#!/bin/bash
OVPN_DATA="ovpn-data-cjc"
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

Now we need to generate credentials for each client. Replace MyUniqueUsername with the name for this user or device. You should setup unique certificates for each device you wish to join the VPN.

#!/bin/bash
OVPN_DATA="ovpn-data-cjc"
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full MyUniqueUsername nopass

The certificate has been generated, but it’s still within the OpenVPN container. We need to retrieve the certificate we just generated so we can use it on our device. Replace MyUniqueUsername with your chosen name for this device or user:

#!/bin/bash
OVPN_DATA="ovpn-data-cjc"
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient MyUniqueUsername > MyUniqueUsername.ovpn

With this ovpn certificate retrieved, copy it to your device and add it to the OpenVPN client.

If you are trying to connect a mobile device to your VPN, I found it easier to email the file to myself and then choose to “Open in…” the OpenVPN app.

Start your OpenVPN client, press connect and you should be ready to go. You can confirm the VPN is capturing your traffic by checking the external IP address using a site such as icanhazip.com.