Alpine based ocserv Docker image.
You can either start by using the 46.1MB (16.65 MB Compressed) pre-built image or create your own.
A pre-built image is available with the best configurations out of the box. Follow the instructions bellow to get up and running.
This setup includes:
- 2 Device connections for each user (
max-same-clients) - Up to 16 clients (
max-clients) - 10.10.10.0/24 as the internal IP pool
- Listens on port 1342 (can be changed by altering port mappings when you run the container)
- Tunnels DNS to the server (
tunnel-all-dns=true) - No-Route list configured by CNMan/ocserv-cn-no-route
Note: All limits can be increased or set to be unlimited by building your own image.
No matter what, if you wan to build the image yourself, run the prebuilt one with docker or with docker-compose, in all cases you will need an SSL certificate, It's up to you how you would like to create it, perhaps you already have some kind of setup for SSL generation on your server, in case you don't, use the following command to generate one:
Note: You need to have a domain pointing to your server IP address and ports 80 and 443 available to be listened by the container for letsencrypt ACME challenge verification.
sudo docker run -it --rm --name certbot -p 80:80 -p 443:443 \
-v $(pwd)/certs:/etc/letsencrypt certbot/certbot \
certonly --standalone -m <email> -d <domain> -n --agree-tosDon't worry if you can't create one, a fallback script will generate a self-signed certificate for you inside the container. The only difference is a warning message about certificate not being trusted (due to being self-signed) when logging in.
Now that you have your certificate generated, you have to run run your container somehow.
I highly recommend you to use docker-compose for running your container, feel free to change the port by editing docer-compose.yml.
wget https://raw.githubusercontent.com/Pezhvak/docker-ocserv/develop/docker-compose.yml
# IMPORTANT: Make sure you have updated the cert paths in volumes section of the docker-compose.yml before running it.
docker-compose up -ddocker run \
--name ocserv \
--restart=always \
-p 1342:443 \
-v $(pwd)/data/ocserv:/etc/ocserv/data \
-v $(pwd)/certs/live/<domain>/fullchain.pem:/etc/ocserv/server-cert.pem \
-v $(pwd)/certs/live/<domain>/privkey.pem:/etc/ocserv/server-key.pem \
pezhvak/ocserv Your ocserv should be up and running now, you will have to create a user to be able to connnect.
I have created a simple proxy shell (ocuser) in the image for easier interaction with ocpasswd.
Remove the specified user to the password file (Password will be asked)
docker exec -it ocserv ash -c "ocuser create <username>"Remove the specified user from the password file:
docker exec ocserv ash -c "ocuser delete <username>"Prevent the specified user from logging in:
docker exec ocserv ash -c "ocuser lock <username>"Re-enable login for the specified user
docker exec ocserv ash -c "cuser unlock <username>"Now that everything is set up and user is created, you can connect to server using terminal or one of the available applications:
Make sure you have installed openconnect on your machine, you can do that in MacOS using brew install openconnect.
echo "<PASSWORD>" | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdinYou can also create an alias in your ~/.bash_profile (or ~/.zshrc if you're using zsh) for easier access:
alias vpn:oc="echo <PASSWORD> | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdin"If you want to change the default configurations, you will have to build the image yourself, just clone the repo and change the files you need.
1- Clone the repository to your server:
git clone https://github.com/Pezhvak/docker-ocserv.git
cd docker-ocserv2- Build the image with your own settings, feel free to change ocserv.conf to your liking:
docker build -t <image_name> .3- Follow the steps of Using Built Image (Change pezhvak/ocserv to your own image name)