OpenVPN On CoreOS Container Linux On DigitalOcean

11 Nov 2019


Using a VPN is useful for a whole host of reasons. Unfortunately, you either have to pay for a hosted service (which means trusting the service provider) or you have to host it yourself (and VPNs are famously difficult to configure and maintain).

Fortunately, there’s a handy little Docker image for OpenVPN that makes installation and configuration a breeze. And with the wide variety of hosting providers on the market today you can host your own OpenVPN server on the cheap with minimal headache.

This post will document the full installation and configuration of OpenVPN under Docker on CoreOS Container Linux on a DigitalOcean $10/month droplet. You could probably run it just fine on their $5/month plan but I didn’t test that.

Installing CoreOS

Click through the DigitalOcean Droplet creation screen, picking CoreOS (from the “Container Distributions” tab) and the $10/month Droplet size.

You should be able to ssh in to your new machine with:

ssh core@<droplet-ip>

Installing and Configuring OpenVPN

Once you have shell access on your Container Linux instance you can configure the OpenVPN container. We’re using the kylemanna/openvpn image and will follow the Quick Start instructions there.

First, pick a name for the Docker Volume that will provide persistence for OpenVPN and store it in an environment variable:

OVPN_DATA="ovpn-data-primary"

Initialize the configuration files and certificates (you’ll be prompted to pick a passphrase):

docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki

(Replace vpn.example.com with your VPN server’s DNS name.)

Start the OpenVPN server (using the provided systemd service):

curl -L https://raw.githubusercontent.com/kylemanna/docker-openvpn/master/init/docker-openvpn%40.service | sudo tee /etc/systemd/system/docker-openvpn@.service
sudo systemctl enable --now docker-openvpn@primary.service

(Note the @primary in the service name. That should match the ovpn-data-SUFFIX from the volume you created earlier.)

At this point OpenVPN is configured and will autostart at boot. Now we need to generate client certificates that can be used to connect to the OpenVPN server. Let’s create one now without a passphrase and retrieve its associated ovpn file:

CLIENTNAME=my-cool-machine
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full $CLIENTNAME nopass
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn

At this point you can copy the $CLIENTNAME.ovpn file to your client machine (using scp or similar), drop it in /etc/openvpn/ and use it to connect to the VPN:

(user@vpn-client) $ sudo openvpn --config /etc/openvpn/$CLIENTNAME.ovpn

If you’ve ever attempted setting up an OpenVPN server from scratch you might be surprised to discover that WE’RE DONE! Enjoy your shiny new VPN server!


Comments
blog comments powered by Disqus