Skip to content

Instantly share code, notes, and snippets.

@sebastiandg7

sebastiandg7/OpenVPN-Dockerfile

Created January 24, 2018 02:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sebastiandg7/305547898a2b911b545d78dc521e8fea to your computer and use it in GitHub Desktop.
Save sebastiandg7/305547898a2b911b545d78dc521e8fea to your computer and use it in GitHub Desktop.
Download ZIP
Dockerfile for the creation of an OpenVPN container
Raw
OpenVPN-Dockerfile
FROM ubuntu:16.04
# VARS
ENV KEY_COUNTRY CO
ENV KEY_PROVINCE VALLE
ENV KEY_CITY CALI
ENV KEY_ORG MyOrganization
ENV KEY_EMAIL email@example.com
ENV KEY_OU Community
ENV KEY_NAME server
RUN apt update
RUN apt install expect openvpn easy-rsa ufw curl linux-image-$(uname -r) -y
RUN make-cadir /root/openvpn-ca
WORKDIR /root/openvpn-ca
RUN sed -i 's/\(export KEY_COUNTRY="\)\(.*\)\("\)/export KEY_COUNTRY=\"$KEY_COUNTRY\"/g' /root/openvpn-ca/vars \
&& sed -i 's/\(export KEY_PROVINCE="\)\(.*\)\("\)/export KEY_PROVINCE=\"$KEY_PROVINCE\"/g' /root/openvpn-ca/vars \
&& sed -i 's/\(export KEY_CITY="\)\(.*\)\("\)/export KEY_CITY=\"$KEY_CITY\"/g' /root/openvpn-ca/vars \
&& sed -i 's/\(export KEY_ORG="\)\(.*\)\("\)/export KEY_ORG=\"$KEY_ORG\"/g' /root/openvpn-ca/vars \
&& sed -i 's/\(export KEY_EMAIL="\)\(.*\)\("\)/export KEY_EMAIL=\"$KEY_EMAIL\"/g' /root/openvpn-ca/vars \
&& sed -i 's/\(export KEY_OU="\)\(.*\)\("\)/export KEY_OU=\"$KEY_OU\"/g' /root/openvpn-ca/vars \
&& sed -i 's/\(export KEY_NAME="\)\(.*\)\("\)/export KEY_NAME=\"$KEY_NAME\"/g' /root/openvpn-ca/vars
RUN /bin/bash -c 'source vars && ./clean-all'
RUN /bin/bash -c "source vars && echo -e '#\!/usr/bin/expect -f\nspawn ./build-ca\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect EOF\n' | /usr/bin/expect -f -"
RUN /bin/bash -c "source vars && echo -e '#\!/usr/bin/expect -f\nset timeout 120\nspawn ./build-key-server server\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \"]:\"\nsend -- \"y\\\\r\"\nexpect -exact \"n]\"\nsend -- \"y\\\\r\"\nexpect EOF\n' | /usr/bin/expect -f -"
RUN /bin/bash -c 'source vars && ./build-dh'
RUN openvpn --genkey --secret /root/openvpn-ca/keys/ta.key
WORKDIR /root/openvpn-ca/keys
RUN cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
RUN gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf
RUN sed -i 's/;tls-auth /tls-auth /g' /etc/openvpn/server.conf \
&& sed -i '/tls-auth/a key-direction 0' /etc/openvpn/server.conf \
&& sed -i 's/;cipher AES-128-CBC/cipher AES-128-CBC/g' /etc/openvpn/server.conf \
&& sed -i '/AES-128-CBC/a auth SHA256' /etc/openvpn/server.conf \
&& sed -i 's/;user nobody/user nobody/g' /etc/openvpn/server.conf \
&& sed -i 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf \
&& sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf \
&& sed -i 's/;push "dhcp-option DNS/push "dhcp-option DNS/g' /etc/openvpn/server.conf
RUN sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
RUN sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0] \n# Allow traffic from OpenVPN client to $(ip route | grep default | awk -F ' ' '{print $5}')\n-A POSTROUTING -s 10.8.0.0/8 -o $(ip route | grep default | awk -F ' ' '{print $5}') -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules
RUN sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
RUN mkdir -p ~/client-configs/files && chmod 700 ~/client-configs/files
RUN cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
RUN sed -i "s/my-server-1/$(curl ipinfo.io/ip)/g" ~/client-configs/base.conf \
&& sed -i 's/;user nobody/user nobody/g' ~/client-configs/base.conf \
&& sed -i 's/;group nogroup/group nogroup/g' ~/client-configs/base.conf \
&& sed -i "s/ca ca.crt/#ca ca.crt/g" ~/client-configs/base.conf \
&& sed -i "s/cert client.crt/#cert client.crt/g" ~/client-configs/base.conf \
&& sed -i "s/key client.key/#key client.key/g" ~/client-configs/base.conf \
&& sed -i "/;cipher x/a cipher AES-128-CBC\nauth SHA256\nkey-direction 1" ~/client-configs/base.conf \
&& echo -e "#script-security 2\n#up /etc/openvpn/update-resolv-conf\n#down /etc/openvpn/update-resolv-conf" >> ~/client-configs/base.conf
RUN echo -e '#!/bin/bash\n\n# First argument: Client identifier\n\nKEY_DIR=/root/openvpn-ca/keys\nOUTPUT_DIR=~/client-configs/files\nBASE_CONFIG=~/client-configs/base.conf\n\ncat ${BASE_CONFIG} \\\n <(echo -e '\''<ca>'\'') \\\n ${KEY_DIR}/ca.crt \\\n <(echo -e '\''</ca>\n<cert>'\'') \\\n ${KEY_DIR}/${1}.crt \\\n <(echo -e '\''</cert>\n<key>'\'') \\\n ${KEY_DIR}/${1}.key \\\n <(echo -e '\''</key>\n<tls-auth>'\'') \\\n ${KEY_DIR}/ta.key \\\n <(echo -e '\''</tls-auth>'\'') \\\n > ${OUTPUT_DIR}/${1}.ovpn\n' >> ~/client-configs/make_config.sh && chmod 700 ~/client-configs/make_config.sh
# PRIVILEDGE OPERATIONS
RUN echo -e '#!/bin/bash\nsysctl -p\nufw allow 1194/udp\nufw disable && ufw enable\n/etc/init.d/openvpn start' >> ~/initial_start.sh && chmod 755 ~/initial_start.sh
WORKDIR /root
ENTRYPOINT /etc/init.d/openvpn start && /bin/bash
@sebastiandg7
Copy link
Author

Dockerfile representation of the following guide: https://www.digitalocean.com/community/tutorials/como-configurar-un-servidor-openvpn-en-ubuntu-16-04-es (spanish)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment