- Notifications
You must be signed in to change notification settings - Fork5
A lightweight Alpine based ocserv Docker image.
License
Pezhvak/docker-ocserv
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A lightweight Alpine based ocserv Docker image.
You can either start by using thepre-built imageor bybuilding your own for more customization.
Apre-built image is available with the best configurations out of the box.Follow the instructions below to get up and running.
- 2 Device connections for each user (
max-same-clients=2) - Up to 16 clients (
max-clients=16) - 10.10.10.0/24 as the internal IP pool
- Listens on port 1342 (can be changed by altering port mappings when you run the container)
- Tunnels DNS to the server (
tunnel-all-dns=true)
Note: All limits can be increased or set to be unlimited inocserv.confbybuilding your own image.
By defaultdocker-compose.yml and the instructions written in this document use thelatesttag of the image which represents the latest commit in themaster branch. Besides that, tagged commits are alsoavailable if you want to make sure no breaking changes enter your setup. To do so, check outtags in our docker hub repo.
However, if you would like to get the cutting edge features you can always use thenext tag which represents thelatest commit in thedevelop branch.
In any case, if you want to build the image yourself, run the pre-built one withdocker run or withdocker-compose,in all cases you will need an SSL certificate, It's up to you how you would like to generate it, perhaps you alreadyhave some kind of setup for that on your server, in case you don't, use thefollowingimage to generate one:
Note: You need to have a domain pointing to your server IP address and ports 80 and 443 available to be listenedto by the container for letsencrypt ACME challenge verification.
sudo docker run -it --rm --name certbot -p 80:80 -p 443:443 \ -v$(pwd)/certs:/etc/letsencrypt certbot/certbot \ certonly --standalone -m<email> -d<domain> -n --agree-tos
If you can't create one (most often because ports 80 and 443 are not available on your server, or you don't have adomain), a fallback script will generate a self-signed certificate for you inside the container. The only difference isa warning message about the certificate not being trusted (due to being self-signed) when logging in.
Now that we are done with the certificate, you have to run the container.
NOTE: If you haven't generated a certificate in the previous step, remove volume mountings to cert paths in yourchosen method. As stated previously a self-signed certificate will be generated automatically with the downside ofuntrusted certificate warning at the logging phase.
I highly recommend using docker-compose for running your container, feel free to change the port byeditingdocer-compose.yml.
wget https://raw.githubusercontent.com/Pezhvak/docker-ocserv/develop/docker-compose.yml# IMPORTANT: Make sure you have updated the cert paths in volumes section# of the docker-compose.yml before running it.docker-compose up -d
If you prefer to usedocker run all you have to do is to execute the following command:
docker run \ --name ocserv \ --restart=always \ -p 1342:443 \ -v$(pwd)/data/ocserv:/etc/ocserv/data \ -v$(pwd)/certs/live/<domain>/fullchain.pem:/etc/ocserv/server-cert.pem \ -v$(pwd)/certs/live/<domain>/privkey.pem:/etc/ocserv/server-key.pem \ pezhvak/ocserv
Your ocserv should be up and running now, you will have to create a user to be able to connect.
To update to the latest version, simply pull the image from docker hub.
# This will pull the image from docker hubdocker-compose pull# Running 'up' again will detect the newer image and recreates the containerdocker-compose up -d
# Pull the image from docker hubdocker pull pezhvak/ocserv# Restart the containerdocker restart ocserv
Although it's easier to use thepre-built image, it has its own downsides.namely, the limitations describedhere.
If you want to change the default configurations, you will have to build the image yourself, just clone the repo andchange the files you need.
Configuration files are stored in theconfig directory. you can also modifyscripts/docker-entrypoint.sh if needed.
1- Clone the repository to your server:
git clone https://github.com/Pezhvak/docker-ocserv.gitcd docker-ocserv2- Build the image with your own settings, feel free to changeconfig/ocserv.conf to your liking:
docker build -t<image_name>.
3- Follow the steps ofUsing Built Image (Changepezhvak/ocserv to your own image name)
I have created a simple proxy shell (ocuser) in the image for easier interaction withocpasswd.
Add the specified user to the password file (You will be asked to provide a password after running the command)
dockerexec -it ocserv ash -c"ocuser create <username>"
Remove the specified user from the password file:
dockerexec ocserv ash -c"ocuser delete <username>"
Prevent the specified user from logging in:
dockerexec ocserv ash -c"ocuser lock <username>"
Re-enable login for the specified user
dockerexec ocserv ash -c"ocuser unlock <username>"
Now that everything is set up and the user is created, you can connect to server using terminal or one of the availableapplications:
Make sure you have installedopenconnect on your machine, you can do that in MacOS usingbrew install openconnect.
echo"<PASSWORD>"| sudo openconnect<DOMAIN>:<PORT> -u<USERNAME> --passwd-on-stdin
You can also create an alias in your~/.bash_profile (or~/.zshrc if you're using zsh) for easier access:
alias vpn:oc="echo <PASSWORD> | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdin"
I appreciate these repositories which inspired me and helped me to put the pieces together:
About
A lightweight Alpine based ocserv Docker image.