kylemanna / docker-openvpn Goto Github PK

Running on Linux using NetworkManger, when I import the .ovpn file it complains about no remote being specified. If I move the remote line near the top of file it works properly.

Not sure if this is due to improper generation of .ovpn file by bin/ovpn_getclient or a broken parser on my platform (if not handled directly by openvpn). I'll probably investigate further, but I figured I'd report in case others have issue or have more details.

Lines in question:

</tls-auth>
key-direction 1
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
EOF

if [ "$OVPN_DEFROUTE" != "0" ];then
    echo "redirect-gateway def1"

Seems like nothing after </tls-auth> is picked up as the key-direction was ignored and has to be manually set as well.

Please update the instructions in https://registry.hub.docker.com/u/kylemanna/openvpn/ to reflect changes in 5fd4776.

I'm using the image for connecting a bunch of Digital Ocean servers. It'd be nice to have the client-to-client option enabled by default.

I am running openvpn as suggested in quick start section. When I run a docker with overlay network enabled plus port mapping, I am not able to reach the server over VPN. Below is the docker command to run the container.

docker run -p 10.0.0.2:8888:80 -d --net=blue nginx

Now, if I remove --net-blue it works perfectly.

Any ideas?

PS: If you need more information to debug, please let me know.

I'm trying to set up a configuration where I have:

Client (my laptop) => Google Compute Engine (GCE) server

The GCE server has addresses:

• external: aaa.aaa.aaa.aaa
• internal: bbb.bbb.bbb.bbb

I need to be able to access all the internal servers on the GCE by their "Internal IP". My laptop is on a 192.168.100.0/24 network and the internal GCE network is a 10.0.0.0/16 network.

I thought the following would work, but I still can't connect to the internal servers. The VPN connection establishes fine. Note: I don't want all my traffic routed through the VPN, just the traffic destined for the internal servers.

docker run --name ovpn-data -v /etc/openvpn busybox
docker run --volumes-from ovpn-data --rm kylemanna/openvpn ovpn_genconfig -u udp://aaa.aaa.aaa.aaa:1194 -d -c -p "route 10.0.0.0 255.255.0.0"
docker run --volumes-from ovpn-data --rm -it kylemanna/openvpn ovpn_initpki
docker run --volumes-from ovpn-data -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
docker run --volumes-from ovpn-data --rm -it kylemanna/openvpn easyrsa build-client-full cluster-00 nopass
docker run --volumes-from ovpn-data --rm kylemanna/openvpn ovpn_getclient cluster-00 > cluster-00.ovpn

Am I configuring this wrong?

Add support for client config directory primarily for handing out fixed client IP addresses.

Greetings Kyle,

I was excited to start using your build but after hours of playing around I was able to understand where the problem was within the build.

The client.ovpn file your system generates is not creating a usable file. There is routing information missing.

Here is a working correct client.ovpn

@kylemanna
I install it with the quick guide,It looks everything is ok,but I can't find the openvpn dir.
I test it on digitalOcean vps.

Add support for the OpenVPN management interface either by port forwarding or running docker-enter/nsenter. Drop the status file which is mostly unreadable now

jpetazzo's repository is licensed under Apache 2.0. AGPL makes it difficult to use this repository within some corporate environments. I know this is sort of ridiculous, but it's the reality. It would be great if your changes could be released under a more liberal license so more of us could benefit.

This is a very small issue:

When you re-issue ovpn_genconfig for a data container that already exists/has been pre-provisioned with ovpn_genconfig before, you get this:

Backing up /etc/openvpn/ovpn_env.sh -> /etc/openvpn/ovpn_env.sh.1425705327.bak
Backing up /etc/openvpn/openvpn.conf -> /etc/openvpn/openvpn.conf.1425705328.bak
Files /etc/openvpn/ovpn_env.sh.1425705327.bak and /etc/openvpn/ovpn_env.sh differ
Successfully generated config

As it turns out, the "openvpn.conf.1425705328.bak" (in this case '1425705328') does not actually get created.

The "ovpn_env.sh.1425705327.bak" (in this case '1425705327') gets created correctly.

Hi,

First thank you very much for this wonderful image. It works like a charm!

Therefore, I would know if there are any way to do the quickstart in non interactive mode? I am trying to deploy an openvpn server with ansible.

Thanks in advance.

Do you have any idea how to include IPv6 support into the configuration? I have read the IPv6 wiki page and it looks like the OpenVPN configuration is easy.
I see docker doesn't support v6 native for now. But certainly there are PR (moby/moby#8947) to support it. As a workaround I tried t use the LXC driver, set an ip address to docker0 and start the docker container with LXC-Flags.
As a result docker can't start the daemon because the old containers could not found. So I rolled the configuration back.

Have you any experience with IPv6? Especially this OpenVPN container and docker? Is there a way to route all IPv6 traffic through v4? Android ignores the v4 tunnel, if there is native v6 connectivity.

Hello,

Did I do something wrong?

As far as I can tell this should work:

core@mirror ~ $ docker run --volume /etc/openvpn:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN --rm kylemanna/openvpn openvpn --config "network7.conf"
[...]
Tue Apr  7 10:54:47 2015 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Tue Apr  7 10:54:47 2015 Exiting due to fatal error

Maybe the fact this is Core OS is significant, can't see why though - Core OS itself has tun support:

core@mirror ~ $ ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Apr  7 10:48 /dev/net/tun

Also:

core@mirror ~ $ docker --version
Docker version 1.5.0, build a8a31ef-dirty

Hmmm. ----privileged works fine, but the documentation says that is only required for Docker < 1.2 - wonder if some other --cap-add= option is required for 1.5???

Thanks

if you bind 1194 port to 0.0.0.0 on a host with several IPs.
if your server domain is bind on secondary IP(in most cases, docker0's IP will be the primary IP),
openvpn will reject :
Incoming packet rejected from xx.xx.xx.xx:1194[2], expected peer address: xx.xx.xx.xx:1194 (allow this incoming source address/port by removing --remote or adding --float)

Hi @kylemanna,

I was wondering if there is a specific reason you disabled tcp 443 for this build? I know udp is preferable, but I was hoping to find a setup that would fallback to tcp 443 if udp is being blocked by a firewall (or random coffee shop's setup).

Install on digitalocean coreos droplet threw the following 2 errors.

docker run --volumes-from ovpn-data --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.mydomain.com
Unable to find image 'kylemanna/openvpn:latest' locally
Pulling repository kylemanna/openvpn
5335f54a9b67: Download complete
511136ea3c5a: Download complete
8771fbfe935c: Download complete
0e30e84e9513: Download complete
e9d888655af1: Download complete
35914aad6581: Download complete
546d28527b4d: Download complete
db8e28720e6c: Download complete
53458232f293: Download complete
bc2bcf56442d: Download complete
1b133a0c8c56: Download complete
b9bff047adb5: Download complete
99459ba620ab: Download complete
4d879bae23f6: Download complete
34d72f73d9b4: Download complete
026e12061de8: Download complete
Status: Downloaded newer image for kylemanna/openvpn:latest
diff: : No such file or directory
diff: : No such file or directory

subsequent command throws another error
docker run --volumes-from ovpn-data --rm -it kylemanna/openvpn ovpn_initpki
/usr/local/bin/ovpn_initpki: line 13: /etc/openvpn/ovpn_env.sh: No such file or directory

is the docker container ubuntu specific or should it work on coreos host too?

Add/test elliptic curve support when upstream OpenVPN releases it. Upstream commit

EasyRSA 3.0-rc1 has the ability to generate certs with EASYRSA_ALGO=ec set in the environment.

What am I doing wrong?

root@alexus:~# OVPN_DATA="ovpn-data"
root@alexus:~# docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
Error response from daemon: no such id: ovpn-data
root@alexus:~# 

after ovpn_genconfig

...
Successfully generated config
+ diff -q '' /etc/openvpn/openvpn.conf
+ true
+ echo 'Successfully generated config'

after ovpn_initpki

.
.
.
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki

+ easyrsa build-ca
Generating a 2048 bit RSA private key
...........+++
...............+++
writing new private key to '/etc/openvpn/pki/private/ca.key'
Enter PEM pass phrase:
Enter PEM pass phrase:
Enter PEM pass phrase:
Enter PEM pass phrase:
140717259392656:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
140717259392656:error:0907E06F:PEM routines:DO_PK8PKEY:read key:pem_pk8.c:130:

Easy-RSA error:

Failed to build the CA

try to start vpn
docker logs show

.
.
.
iptables: No chain/target/match by that name.
+ iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
+ conf=/etc/openvpn/openvpn.conf
+ openvpn --config /etc/openvpn/openvpn.conf
Options error: --dh fails with '/etc/openvpn/pki/dh.pem': No such file or directory
Options error: --ca fails with '/etc/openvpn/pki/ca.crt': No such file or directory
Options error: --cert fails with '/etc/openvpn/pki/issued/vpn.myvpn.de.crt': No such file or directory
Options error: --key fails with '/etc/openvpn/pki/private/vpn.myvpn.de.key': No such file or directory
Options error: --tls-auth fails with '/etc/openvpn/pki/ta.key': No such file or directory
Options error: Please correct these errors.
Use --help for more information.

I have a few public IPv4 routed to the server I'm using for this VPN and I would like to distribute them to the clients instead of the default private IPs.

How would you recommend doing this?

I'm implementing a split tunnel configuration and can't quite figure out the right options. Currently I configure the server with the "-p" option to push the route out to the client but the configs that I generate contain "redirect-gateway def1" which I think is incorrect. However, if I specify "-d" it turns off NAT which breaks the ability to communicate with the subnet.

Stripping off the "redirect-gateway def1" from the client config does the trick to get it working, but I'm wondering if there is a correct combination of options I should be using to implement split tunneling.

Regards

Server log

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]

when i disable the line # tls-auth /etc/openvpn/pki/ta.key it works.

I want to set up a VPN between 3 servers, I want to create a LAN between all of them.
I test it with the server and me as a client, very easy.
However, I want to use it from server to server, should I use a docker image of openvpn on the client for that ? If yes, is your image ready for that ?
Using the default config, I understand that the http traffic is rerouted, I want to configure a private LAN. I can start service listening only on the vpn interface as a security feature
Is the configuration ready for that ? Should I turn off something ?

Thanks again for your work

Hi,
Just a remark about your README.md. I've seen that you suggest to use a busybox image as data-only container. I suppose it is to save disk space, but actually you are wrong. as docker uses AUFS, if you use the same image as your app you actually save space. Maybe you could take a look at this blog post.
Thank you for your work, Bye.

Hello,

WIth a digital ocean vps, i got the following issue:

a01efde49a1b        kylemanna/openvpn   "ovpn_run"          3 minutes ago       Exited (1) 3 minutes ago                       determined_banach

I just followed the steps (as the last time I installed this docker).

configuration: Fedora 22, Docker version 1.8.2-fc22, build f1db8f2/1.8.2

logs:

root@whatweare /h/# docker logs 64db0e83fb1a
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Enabling IPv6 Forwarding
sysctl: setting key "net.ipv6.conf.default.forwarding": Read-only file system
Failed to enable IPv6 Forwarding default
sysctl: setting key "net.ipv6.conf.all.forwarding": Read-only file system
Failed to enable IPv6 Forwarding
Sun Sep 27 00:24:50 2015 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  1 2014
Sun Sep 27 00:24:50 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sun Sep 27 00:24:50 2015 Diffie-Hellman initialized with 2048 bit key
Sun Sep 27 00:24:50 2015 Control Channel Authentication: using '/etc/openvpn/pki/ta.key' as a OpenVPN static key file
Sun Sep 27 00:24:50 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 27 00:24:50 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 27 00:24:50 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun Sep 27 00:24:50 2015 ROUTE_GATEWAY XXXX/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:16
Sun Sep 27 00:24:50 2015 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Sun Sep 27 00:24:50 2015 Exiting due to fatal error

I wanna use my own DNS server, is it possible that I change DHCP configuration ?

Hi

Based on the article http://parabing.com/2014/06/openvpn-on-ubuntu/ in Step 07 -- A DNS service for OpenVPN clients.

I want to have this feature, how could I, thank you very much!

Rookie question:
I try docker attach [running-openvpn-container-name] to connect into the container. However, the terminal does not return the container, it hangs and allows my input without response.
Why is this?

In your readme you say that you haven't found a use case for TCP. I'll try to make my case and hope you add it on future releases.

There are cases were the connections we use to access internet have an enforced filtering of ports and only allow certain common ones (ie.: HTTP, HTTPS, IMAP, POP3, SMTP). This enforcement not always goes in concordance with security policies so in those cases were it doesn't and you know you are not breaking any corporate rule then it does make sense to have a way to connect to your VPN.

In that particular use case if you have your VPN running on 443/TCP you could connect and allow you to securely and freely browse internet and your private VPN resources.

I hope this is enough of a reason for you to add TCP support.

Cheers
M

DISCLAIMER: I've tried encapsulating UDP inside a TCP tunnel inside a SSH tunnel however due to discrepancies in MTU this triggers a HMAC failure and thus the VPN performs suboptimal. Plus adds an unwanted complexity to something that should be simple.

Enter PEM pass phrase:
139885230831248:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 1024 characters
139885230831248:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
139885230831248:error:0907E06F:PEM routines:DO_PK8PKEY:read key:pem_pk8.c:130:

Easy-RSA error:

Failed to build the CA

I had to do:

docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn bash
ovpn_initpki

And write a PEM pass phrase

I opened a pull request (jpetazzo/dockvpn#8) for some work that I was working on from the original jpetazzo/dockvpn some time ago. After I did that I went and researched other dockvpn branches and found your's and found your changes to be mostly the same as what I was working on. "Docker openvpn" still results in jpetazzo's repo first, and your's second.

Somebody has now urged jpetazzo to accept my pull request and he is willing to make it his new master, but I think that we could do better to combine our efforts. He has offered to either name one repo as a successor repo, or give commit access to his. Would you be interested in joining efforts towards making one canonical openvpn solution for docker? Or would you prefer to continue working on your changes alone? From reading through your changes vs my changes, I think that we are both headed in very similar directions.

I found this tutorial, but wasn't sure if there was a known / better way when using this image: https://www.howtoforge.com/setting-up-an-openvpn-server-with-authentication-against-openldap-on-ubuntu-10.04-lts

Use the busybox docker image to create the openvpn-data volume. This will save space as the openvpn image updates based on debian:jessie. Currently the old image is held due to reference counting (image is approx 250 MB) and a reference to the image from the data volume container.

The same will happen to busybox created image, but the busybox image is < 5 MB.

Annoying part is that it will add approx 1 more step to setup.

I need to configure OpenVPN to do the following:

1. clients must reach each other;
2. clients must be assigned static IPs;
3. clients must not forward all traffic through the vpn.

I may be wrong, but the container does not support all three out of the box. For (2) I have followed Static IP Addresses. For (3), I think you just need to pass -d to ovpn_genconfig (I'm not sure because I edited an existing configuration). But to also obtain (1), I needed to add this line to the server's config file:

push "route 192.168.254.0 255.255.255.0"

Can this be added by default or through some option?

So I'm looking at this comment in the Dockerfile

Internally uses port 1194/udp, remap using docker run -p 443:1194/tcp

and I guess I'm confused. Can you support clients who use 443/tcp with the server inside thinking that it's talking UDP? I suppose the only way to know is try, but it seems so unlikely.

@kylemanna Is this possible?

I updated all my system (Ubuntu 14.04.2 LTS) and docker (1.6.0) and my openvpn server won't start anymore, with the debug enabled I get this output :

$ docker run --volumes-from $OVPN_DATA -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
+ set -e
+ source /etc/openvpn/ovpn_env.sh
/usr/local/bin/ovpn_run: line 13: /etc/openvpn/ovpn_env.sh: No such file or directory

It looks like that a path changed in the update process.

Thanks !

I spent most of the day working at this and following your instructions. I think you did a great job but there are a few issue and I ended up using the build from rsc-1/dispos-a-vpn

I appreciate the time and effort you put into your build, cheers!

I noticed the default config having a commented out duplicate-cn option. It would be nice if this was configurable. We use a single key for some test setups (less secure, but these environments are more about convenience than security), but without duplicate-cn this won't work.

Also, it would be nice if ovpn_run would pass all arguments to openvpn so we can do things like this:

/usr/bin/docker run kylemanna/openvpn ovpn_run --duplicate-cn

Need to track: https://www.openssl.org/news/secadv_20150709.txt

Sounds like servers (like OpenVPN) using client certs could be affected. I think TLS auth would shield this from third parties using the OpenVPN service, but it may be possible to impersonate another user on the server (not that it makes any difference now other then client configuration directives).

Review OpenVPN's Gigabit Network Wiki Page and consider implementing some performance tweaks.

Currently, ~ 150 Mb/s consumes 100% of a Digital Ocean 1 CPU / 512 MB droplet.

A larger MTU should improve encryption/decryption efficiency and IPC between kernel and user space daemon.

Test Case

Client

~ ❯❯❯ curl http://cachefly.cachefly.net/100mb.test http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  http://cachefly.cachefly.net/100mb.test  > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  100M  100  100M    0     0  12.2M      0  0:00:08  0:00:08 --:--:-- 13.5M
100  100M  100  100M    0     0  14.5M      0  0:00:06  0:00:06 --:--:-- 14.4M
100  100M  100  100M    0     0  14.4M      0  0:00:06  0:00:06 --:--:-- 13.9M
100  100M  100  100M    0     0  14.8M      0  0:00:06  0:00:06 --:--:-- 15.0M
100  100M  100  100M    0     0  14.1M      0  0:00:07  0:00:07 --:--:-- 13.9M
100  100M  100  100M    0     0  14.4M      0  0:00:06  0:00:06 --:--:-- 14.8M
100  100M  100  100M    0     0  15.5M      0  0:00:06  0:00:06 --:--:-- 15.7M
100  100M  100  100M    0     0  14.3M      0  0:00:06  0:00:06 --:--:-- 14.1M
100  100M  100  100M    0     0  14.4M      0  0:00:06  0:00:06 --:--:-- 14.8M
100  100M  100  100M    0     0  14.9M      0  0:00:06  0:00:06 --:--:-- 15.0M
100  100M  100  100M    0     0  15.4M      0  0:00:06  0:00:06 --:--:-- 15.5M

Result

• Server: (running kylemanna/openvpn:0.2)
• Client: (running 2012 rMBP + TunnelBlick with OpenVPN 2.3.4)
• User 😞

Suggested by @bydavy

The situation: I'm setting up a split tunnel to allow access to a bunch of individual hosts via a VPN. There's a longish list of them, all on different /32s, and from time to time that list will change.

What I want to avoid is having the client's OpenVPN configuration have to change when this list changes. I know I'll have to bump something on the server container to get this to work, but I'd hate to have to pull down new OVPN files every time.

Suggestions welcome to help me puzzle this out - I promise to write up whatever I find.

Hi,
Thanks for building this docker image, it looks awesome.

I am trying to replace my local install of openvpn server (on the host machine) with this docker instance. Is it possible to access the host machine through the openvpn server? i.e. ssh to the host machine through the docker openvpn server. I guess adding an openvpn client to the host machine is a bad idea? (as then the docker openvpn server would have two routes to the same network)

I have other docker containers running on the same host machine (such as redmine and gitlab) which currently bind ports to the local openvpn servers interface's ip address

docker run --name gitlab -d \
    --publish 192.168.255.110:8383:80 \
...

Thanks

After running this

docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

i got this error in docker logs

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Enabling IPv6 Forwarding
sysctl: setting key "net.ipv6.conf.default.forwarding": Read-only file system

I using DigitalOcean's Ubuntu 14.04 LTS

ufw default allow

Enable this settings in /etc/ufw/sysctl.conf does nothing change

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Using Tunnelblick on OS X Yosemite and connection consistently times out after half a minute or so.
jpetazzo/dockvpn is working fine under same conditions.

I have disabled push "redirect-gateway" by OVPN_DEFROUTE=0, I do not want client redirects all internet traffic over the VPN.

But I cannot anymore ping the openvpn server ip.

Need to handle CVE-2014-8104 which appears to crash the OpenVPN server process, no remote access or side effects for other services on the same machine.

Default configuration of this Docker image uses TLS auth so it appears to be safe[1]:

Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit.

Waiting for a Debian patch to be released.

[1] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

I setup as you describe in "quick start guide" and connect from my laptop to vpn by using
openvpn --config config.ovpn

This work fine by I can't access to the internet. Traceroute:

traceroute ya.ru               
traceroute to ya.ru (213.180.193.3), 30 hops max, 60 byte packets
 1  192.168.255.129 (192.168.255.129)  44.588 ms  44.609 ms  45.061 ms
 2  172.17.42.1 (172.17.42.1)  45.095 ms  45.613 ms  46.588 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
...

Where 172.17.42.1 is a adress from docker0 interface.

I use Digital Ocean vps and have this interfaces:

docker0   Link encap:Ethernet  HWaddr 56:84:7a:fe:97:99  
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:419 errors:0 dropped:0 overruns:0 frame:0
          TX packets:517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:43688 (43.6 KB)  TX bytes:77485 (77.4 KB)

eth0      Link encap:Ethernet  HWaddr 04:01:1d:d8:55:01  
          inet addr:xxx  Bcast:188.226.255.255  Mask:255.255.240.0
          inet6 addr: xxxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9338 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1584 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:687358 (687.3 KB)  TX bytes:232510 (232.5 KB)

eth1      Link encap:Ethernet  HWaddr 04:01:1d:d8:55:02  
          inet addr:xxxxxx  Bcast:10.129.255.255  Mask:255.255.0.0
          inet6 addr: xxxxxxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:760 (760.0 B)  TX bytes:578 (578.0 B)

I don't understand linux interfaces and docker. And I can't figure out where problem is.

On the server I have Ubuntu 14.04 & docker 1.0.1

The command ovpn_copy_server_files fails because rsync is not installed in the docker image.