OpenVPN server in a Docker container complete with an EasyRSA PKI CA. This docker is creating a VPN network between Docker For Mac containers and the host mac itself. It allows you to communicate directly to services running as docker containers running on IPs 172.17.0.0/16.

• Initialize the ovpn-data container that will hold the configuration files and certificates

    docker volume create --name ovpn-data
    docker run -v ovpn-data:/etc/openvpn --rm luman75/docker-mac-openvpn:3.4.0 ovpn_genconfig -u udp://localhost
  

• Create CA

You will be asked for password to CA please set something longer then 4 characters and remember it for the next commands

    docker run -v ovpn-data:/etc/openvpn --rm -it luman75/docker-mac-openvpn:3.4.0 ovpn_initpki

• Start OpenVPN server process

    docker run -v ovpn-data:/etc/openvpn --name docker-mac-openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN luman75/docker-mac-openvpn:3.4.0
  

• Generate a client certificate without a passphrase

    docker run -v ovpn-data:/etc/openvpn --rm -it luman75/docker-mac-openvpn:3.4.0 easyrsa build-client-full DockerForMac nopass
  

• Retrieve the client configuration with embedded certificates

    docker run -v ovpn-data:/etc/openvpn --rm luman75/docker-mac-openvpn:3.4.0 ovpn_getclient DockerForMac > DockerForMac.ovpn
  

• Install OpenVPN Configuration You need to have Tunnelblink installed in your system [https://tunnelblick.net/downloads.html]. Then just run command

    open DockerForMac.ovpn
  

After you that you will have configured Tunnelblink to communicate with your Docker for Mac environment.

Initialize the volume container using the luman75/docker-mac-openvpn:3.4.0 image with the included scripts to automatically generate:

• Diffie-Hellman parameters
• a private key
• a self-certificate matching the private key for the OpenVPN server
• an EasyRSA CA key and certificate
• a TLS auth key from HMAC security

The OpenVPN server is started with the default run cmd of ovpn_run

The configuration is located in /etc/openvpn, and the Dockerfile declares that directory as a volume. It means that you can start another container with the -v argument, and access the configuration. The volume also holds the PKI keys and certs so that it could be backed up.

To generate a client certificate, luman75/docker-mac-openvpn:3.4.0 uses EasyRSA via the easyrsa command in the container's path. The EASYRSA_* environmental variables place the PKI CA under /etc/openvpn/pki.

Conveniently, luman75/docker-mac-openvpn:3.4.0 comes with a script called ovpn_getclient, which dumps an inline OpenVPN client configuration file. This single file can then be given to a client for access to the VPN.

To enable Two Factor Authentication for clients (a.k.a. OTP) see this document.

• No logger generate any push for DNS. We assume it should be the same as the dns in OS
• Push routing to "route 172.17.0.0 255.255.0.0" making routing to internal docker networks
• There is no "redirect-gateway def1" generated in xx.ovpn so no default route