Fundamentals of Running OpenVPN in
Docker on Ubuntu
How do you freely access the internet with the many involved restrictions and data insecurity?
Can the solution be to use a VPN server, right? But again, there are many VPN providers that
exist in the market, both free and paid to use VPN solutions. However, these different options
may require some degree of trust, and at times some may not be reliable.
Well, one reliable and more controlled VPN option exists: why not host your VPN server! The
process is straightforward, especially with the rapid growth of containerization technologies such
as Docker. With Docker and OpenVPN technologies, your VPN server will be set up and
running in minutes.
In this tutorial, you will learn how to set up an OpenVPN server hosted in a Docker container.
You can use Docker to install the OpenVPN server and run it as the service. You will also be
able to generate client connection configurations and certificates that you need later to connect to
multiple clients on your VPN server.
Prerequisites
This tutorial will be a hands-on demonstration. If you follow along, you will need the following
requirements:
A Linux based operating system -This tutorial will use Ubuntu v22.04.
Docker installed and running -This tutorial uses Docker v20.10.17.
An Android device running OpenVPN connect client application – This tutorial uses
Android
Creating Docker Container for Open VPN
There are several ways of creating an OpenVPN Docker container. You can either build the
container from scratch or pull a ready-made container from the Docker Hub. Ready-made
containers offer several benefits like they are thoroughly tested against various vulnerabilities
with a backing of a vast community of developers. Furthermore, it saves time and eliminates the
need of reinventing a wheel.
<aside> 💡 Docker Hub is a hosted repository service provided by Docker for finding and sharing
container images with your team or community members.
</aside>
This tutorial will use an existing OpenVPN Docker image file. You will start by creating a data
volume container for OpenVPN. This is where all data, configuration files and certificates will
�be stored. For this demonstration you will name the Docker volume as ovpn-data-test by
running the below command in terminal:
OVPN_DATA="ovpn-data-test"
Next, you will create a data volume container by running the below command in terminal
window:
docker volume create --name $OVPN_DATA
Next, you would download the OpenVPN Docker image and set the argument to use your server
(host) public IP or domain name (if you have one) via UDP protocol. Note you can use TCP
protocol as well. You will need to run the below command in terminal to achieve this:
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn
ovpn_genconfig -u udp://YourPublicIPAddress.com
<aside> 💡 TCP is a connection-oriented protocol, whereas UDP is a connectionless protocol
</aside>
The below screen installation process will appear:
Note if you are using a public IP address for self-hosting option at home, you will need to enable
port forwarding to your router or modem to point to your host or server.
Setting up Client Configuration
To set up the OpenVPN client configuration, you must first generate and retrieve CA and client
certificates. You will use a docker command to achieve that. In most cases, generating CA server
certificates takes time, depending on the resources of the machine you are using.
You will run the below command in terminal in order to generate the CA and client certificates:
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it
kylemanna/openvpn ovpn_initpki
Once you initiate the PKI for OpenVPN, you must set a password for the CA certificate as
shown below. Note it is a better practice to note the CA paraphrase as you would require it later
during the setup process and each time you generate a client certificate.
Next, you will be required to provide the name of your CA certificate. Remember, you can give
any name as shown below:
�Once the process is complete, a private key will be generated, and you will be required to
provide the CA paraphrase you earlier set as shown below:
To be able to set up the OpenVPN client, you have to start the OpenVPN server service on
Docker. You will run the Docker run command with several arguments. The arguments set the
port as 1194 that listens and establishes communication between the server and the client. The
command will appear as below:
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN
kylemanna/openvpn
Note the port 1194 can be changed to fit your preferences if you are not willing to use the default
OpenVPN port.
The result will appear as below:
Next, you will generate the client certificate and extract the client configuration file from the
container to the host. This step will require you to enter the CA paraphrase you earlier created.
You will use the below Docker commands to achieve this:
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it
kylemanna/openvpn easyrsa build-client-full CLIENTAPP nopass
Note, the argument CLIENTAPP in the above command can be replaced with any name that
you want. It represents the file name of the OpenVPN certificate and client identification. The
certificate that is generated here is password less as specified in the command arguments.
The certificate is stored at the host’s user directory and not on Docker container. The above
command will result in the following screen:
You will then run the below command to compile the OpenVPN connection config file and to
retrieve it from the Docker container to the host server:
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn
ovpn_getclient CLIENTAPP > CLIENTAPP.ovpn
Next you will retrieve the .ovpn file from the host server and place it in the OpenVPN client to
access the VPN server.
�You will launch your OpenVPN connect client app in your Android device and import the .ovpn
file as a new profile and connect. Upon successful connection the result will appear as below:
Accessing the Web UI
Worried about a number of commands you had to cover to access your VPN server? Why not try
a simple web based UI? OpenVPN offers a web-based set of installation and configuration tools
that enables rapid deployment of VPN remote access solutions. The solution comes as a single
package known as OpenVPN access server. To access the web interface of the OpenVPN server
you need to first install the package.
Pulling OpenVPN Access Server container
You will need to pull the latest Docker container from the Linux server Docker Hub using the below
command:
docker pull linuxserver/openvpn-as
The above command will pull a ready-made OpenVPN access server Docker container. The below results
will appear:
Setting the OpenVPN Access Server Configuration Parameters in Docker
After you have successfully pulled the latest OpenVPN access server container, next would be to
configure different parameters such as download folders, port number, among others for the service.
You will use the below command to achieve this:
docker create --name=openvpn-as --restart=always -v /home/docker/openvpn-
as/config:/config -e INTERFACE=eth0 -e PGID=1001 -e PUID=1001 -e
TZ=Africa/Nairobi --net=host --privileged linuxserver/openvpn-as
Before running the above command several parameters need to be set according to your preferences
and settings to fit your requirements. The arguments you need to set includes:
docker create –name=openvpn-as: The argument creates a new Docker container named
openvpn-as.
--restart=always: The argument ensures that the containers start always on system boot. You
can opt not use it if you don’t want the container to restart.
-v /home/docker/openvpns-as/config: /config: It specifies the directory where OpenVPN server
config files are stored.
� -e PGID=1001 –e PUID=1001: It specifies the user id to reduce the permission issues that may
arise between the host operation system and the container.
-e TZ=Africa/Nairobi: It specifies the time zone information. You can determine yours by clicking
here.
--net=host –privileged: The argument specifies how OpenVPN Access Server runs in the
container. In this demo it runs in both host and privileged mode.
Starting OpenVPN Access Server Container
Next, will be to access the OpenVPN web interface by running the OpenVPN access server Docker
container using the below command:
docker start openvpn-as
Once the container is up and running, you will be able to access the web interface on the local IP
address by browsing https://youripaddress.com:943/admin/. The below results will be displayed on the
web browser:
Note the default admin username and password is admin and password respectively. You can change
the credentials as per your preferences.
Configuring the DNS
At this point, having successfully connected to the VPN server, and it is up and running. You can
configure a DNS in it. Google offers the fastest DNS servers available, and you will utilize it in
your OpenVPN access server.
To configure DNS, you must access the OpenVPN server web interface and update the DNS
settings with Google or your preferred DNS addresses.
Conclusion
Congratulations! You have been able to configure and install OpenVPN using Docker. You have
also learned how to host OpenVPN with Docker, run the PKI system, generate the CA and client
certificates, and connect them.
The setup ensures enhanced security between both client and server applications. The process is
straightforward to connect and manage.
