Lightweight Alpine based ocserv Docker image.
You can either start by using the pre-built image or build your own for more customization.
A pre-built image is available with the best configurations out of the box. Follow the instructions bellow to get up and running.
- 2 Device connections for each user (
max-same-clients=2) - Up to 16 clients (
max-clients=16) - 10.10.10.0/24 as the internal IP pool
- Listens on port 1342 (can be changed by altering port mappings when you run the container)
- Tunnels DNS to the server (
tunnel-all-dns=true) - No-Route list configured by CNMan/ocserv-cn-no-route
Note: All limits can be increased or set to be unlimited in ocserv.conf
by building your own image.
By default docker-compose.yml and the instructions written in this document uses the latest
tag of the image which represents the latest commit in the master branch. beside that tagged commits
are also available if you want to make sure no breaking changes enters your setup. checkout
tags in our docker hub repo.
However, if you like to get the cutting edge features you can always use the next tag
which represents the latest commit in the develop branch.
No matter what, if you want to build the image yourself, run the pre-built one with docker run or
with docker-compose, in all cases you will need an SSL certificate, It's up to you how you would like to generate it,
perhaps you already have some kind of setup for that on your server, in case you don't, use the
following image to generate one:
Note: You need to have a domain pointing to your server IP address and ports 80 and 443 available to be listened by the container for letsencrypt ACME challenge verification.
sudo docker run -it --rm --name certbot -p 80:80 -p 443:443 \
-v $(pwd)/certs:/etc/letsencrypt certbot/certbot \
certonly --standalone -m <email> -d <domain> -n --agree-toscan't create one (most often because ports 80 and 443 are not available on your server, or you don't have a domain), a fallback script will generate a self-signed certificate for you inside the container. The only difference is a warning message about the certificate not being trusted (due to being self-signed) when logging in.
Now that we are done with the certificate, you have to run the container somehow.
NOTE: If you haven't generated a certificate in the previous step, remove volume mountings to cert paths in your chosen method. as stated previously a self-signed certificate will be generated automatically with the downside of untrusted certificate warning at the logging phase.
I highly recommend you to use docker-compose for running your container, feel free to change the port by
editing docer-compose.yml. I highly recommend using docker-compose for running your container, feel free to change the
port by editing docker-compose.yml.
wget https://raw.githubusercontent.com/Pezhvak/docker-ocserv/develop/docker-compose.yml
# IMPORTANT: Make sure you have updated the cert paths in volumes section of the docker-compose.yml before running it.
docker-compose up -dIf you prefer to use docker run all you have to do is to execute the following command:
docker run \
--name ocserv \
--restart=always \
-p 1342:443 \
-v $(pwd)/data/ocserv:/etc/ocserv/data \
-v $(pwd)/certs/live/<domain>/fullchain.pem:/etc/ocserv/server-cert.pem \
-v $(pwd)/certs/live/<domain>/privkey.pem:/etc/ocserv/server-key.pem \
pezhvak/ocserv Your ocserv should be up and running now, you will have to create a user to be able to connect.
To update to the latest version, simply just pull the image from docker hub.
# this will pull the image from docker hub
docker-compose pull
# running up again will detect the newer image and recreates the container
docker-compose up -d# pull image from docker hub
docker pull pezhvak/ocserv
# restart the container
docker restart ocservAlthough it's easier to use pre-built image, but it has its own downsides. namely, the limitations described here.
If you want to change the default configurations, you will have to build the image yourself, just clone the repo and change the files you need.
Configuration files are stored in config directory. you can also modify
scripts/docker-entrypoint.sh if needed.
1- Clone the repository to your server:
git clone https://github.com/Pezhvak/docker-ocserv.git
cd docker-ocserv2- Build the image with your own settings, feel free to change config/ocserv.conf to your liking:
docker build -t <image_name> .3- Follow the steps of Using Built Image (Change pezhvak/ocserv to your own image name)
I have created a simple proxy shell (ocuser) in the image for easier interaction with ocpasswd.
Remove the specified user to the password file (Password of the user will be asked)
docker exec -it ocserv ash -c "ocuser create <username>"Remove the specified user from the password file:
docker exec ocserv ash -c "ocuser delete <username>"Prevent the specified user from logging in:
docker exec ocserv ash -c "ocuser lock <username>"Re-enable login for the specified user
docker exec ocserv ash -c "ocuser unlock <username>"Now that everything is set up and user is created, you can connect to server using terminal or one of the available applications:
Make sure you have installed openconnect on your machine, you can do that in MacOS using brew install openconnect.
echo "<PASSWORD>" | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdinYou can also create an alias in your ~/.bash_profile (or ~/.zshrc if you're using zsh) for easier access:
alias vpn:oc="echo <PASSWORD> | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdin"I appreciate these repositories which inspired me and helped me to put the pieces together:
