Check attached `docker-compose-no-ui.yml` file to run openvpn-server withput [OpenVPN UI](https://github.com/d3vilh/openvpn-ui) container.
**Default EasyRSA** configuration can be changed in `~/openvpn-server/config/easy-rsa.vars` file:
```shell
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "UA"
set_var EASYRSA_REQ_PROVINCE "KY"
set_var EASYRSA_REQ_CITY "Kyiv"
set_var EASYRSA_REQ_ORG "SweetHome"
set_var EASYRSA_REQ_EMAIL "sweet@home.net"
set_var EASYRSA_REQ_OU "MyOrganizationalUnit"
set_var EASYRSA_REQ_CN "server"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 825
set_var EASYRSA_CERT_RENEW 30
set_var EASYRSA_CRL_DAYS 180
```
In the process of installation these vars will be copied to container volume `/etc/openvpn/pki/vars` and used during all EasyRSA operations.
You can update all these parameters later with OpenVPN UI on `Configuration > EasyRSA vars` page.
### Run with Docker:
```shell
docker run --interactive --tty --rm \
--name=openvpn \
--cap-add=NET_ADMIN \
-p 1194:1194/udp \
-e TRUST_SUB=10.0.70.0/24 \
-e GUEST_SUB=10.0.71.0/24 \
-e HOME_SUB=192.168.88.0/24 \
-v ./pki:/etc/openvpn/pki \
-v ./clients:/etc/openvpn/clients \
-v ./config:/etc/openvpn/config \
-v ./staticclients:/etc/openvpn/staticclients \
-v ./log:/var/log/openvpn \
-v ./fw-rules.sh:/opt/app/fw-rules.sh \
-v ./server.conf:/etc/openvpn/server.conf \
--privileged d3vilh/openvpn-server:latest
```
### Run the OpenVPN-UI image
```
docker run \
-v /home/pi/openvpn-server:/etc/openvpn \
-v /home/pi/openvpn-server/db:/opt/openvpn-ui/db \
-v /home/pi/openvpn-server/pki:/usr/share/easy-rsa/pki \
-e OPENVPN_ADMIN_USERNAME='admin' \
-e OPENVPN_ADMIN_PASSWORD='gagaZush' \
-p 8080:8080/tcp \
--privileged d3vilh/openvpn-ui:latest
```
### Build image form scratch:
1. Clone the repo:
```shell
git clone https://github.com/d3vilh/openvpn-server
```
2. Build the image:
```shell
cd openvpn-server
docker build --force-rm=true -t d3vilh/openvpn-server .
```
## Configuration
The volume container will be initialised with included scripts to automatically generate everything you need on the first run:
- Diffie-Hellman parameters
- an EasyRSA CA key and certificate
- a new private key
- a self-certificate matching the private key for the OpenVPN server
- a TLS auth key from HMAC security
This setup use `tun` mode, as the most compatible with wide range of devices, for instance, does not work on MacOS(without special workarounds) and on Android (unless it is rooted).
The topology used is `subnet`, for the same reasons. `p2p`, for instance, does not work on Windows.
The server config [specifies](https://github.com/d3vilh/openvpn-aws/blob/master/openvpn/server.conf#L34) `push redirect-gateway def1 bypass-dhcp`, meaning that after establishing the VPN connection, all traffic will go through the VPN. This might cause problems if you use local DNS recursors which are not directly reachable, since you will try to reach them through the VPN and they might not answer to you. If that happens, use public DNS resolvers like those of OpenDNS (`208.67.222.222` and `208.67.220.220`) or Google (`8.8.4.4` and `8.8.8.8`).
### OpenVPN Server Pstree structure
All the Server and Client configuration located in mounted Docker volume and can be easely tuned. Here is the tree structure:
```shell
|-- server.conf // OpenVPN Server configuration file
|-- clients
| |-- your_client1.ovpn
|-- config
| |-- client.conf
| |-- easy-rsa.vars
|-- db
| |-- data.db //Optional OpenVPN UI DB
|-- log
| |-- openvpn.log
|-- pki
| |-- ca.crt
| |-- certs_by_serial
| | |-- your_client1_serial.pem
| |-- crl.pem
| |-- dh.pem
| |-- index.txt
| |-- ipp.txt
| |-- issued
| | |-- server.crt
| | |-- your_client1.crt
| |-- openssl-easyrsa.cnf
| |-- private
| | |-- ca.key
| | |-- your_client1.key
| | |-- server.key
| |-- renewed
| | |-- certs_by_serial
| | |-- private_by_serial
| | |-- reqs_by_serial
| |-- reqs
| | |-- server.req
| | |-- your_client1.req
| |-- revoked
| | |-- certs_by_serial
| | |-- private_by_serial
| | |-- reqs_by_serial
| |-- safessl-easyrsa.cnf
| |-- serial
| |-- ta.key
|-- staticclients //Directory where stored all the satic clients configuration
```
### Generating .OVPN client profiles with [OpenVPN UI](https://github.com/d3vilh/openvpn-ui)
You can access **OpenVPN UI** on it's own port (*e.g. `http://localhost:8080`, change `localhost` to your Public or Private IPv4 address*), the default user and password is `admin/gagaZush` which can be changed via Docker enviroment.
You can update external client IP and port address anytime under `"Configuration > OpenVPN Client"` menu.
For this go to `"Configuration > OpenVPN Client"`:
And then update `"Connection Address"` and `"Connection Port"` fields with your external Internet IP and Port.
To generate new Client Certificate go to `"Certificates"`, then press `"Create Certificate"` button, enter new VPN client name, complete all the rest fields and press `"Create"` to generate new Client certificate:
To download .OVPN client configuration file, press on the `Client Name` you just created:
Install [Official OpenVPN client](https://openvpn.net/vpn-client/) to your client device.
Deliver .OVPN profile to the client device and import it as a FILE, then connect with new profile to enjoy your free VPN:
### Renew Certificates for client profiles
To renew certificate, go to `"Certificates"` and press `"Renew"` button for the client you would like to renew certificate for:
Right after this step new Certificate will be genrated and it will appear as new client profile with the same Client name. At this point both client profiles will have updated Certificate when you try to download it.
Once you will deliver new client profile with renewed Certificate to you client, press `"Revoke"` button for old profile to revoke old Certificate, old client profile will be deleted from the list.
If, for some reason you still would like to keep old certificate you have to `"Revoke"` new profile, old certificate will be rolled back and new profile will be deleted from the list.
Renewal process will not affect active VPN connections, old client will be disconnected only after you revoke old certificate or certificate term of use will expire.
### Revoking .OVPN profiles
If you would like to prevent client to use yor VPN connection, you have to revoke client certificate and restart the OpenVPN daemon.
You can do it via OpenVPN UI `"Certificates"` menue, by pressing `"Revoke"`` amber button:
Certificate revoke won't kill active VPN connections, you'll have to restart the service if you want the user to immediately disconnect. It can be done from the same `"Certificates"` page, by pressing Restart red button:
You can do the same from the `"Maintenance"` page.
After Revoking and Restarting the service, the client will be disconnected and will not be able to connect again with the same certificate. To delete the certificate from the server, you have to press `"Remove"` button.
### OpenVPN client subnets. Guest and Home users
By default this [Openvpn-Server](https://github.com/d3vilh/openvpn-server) OpenVPN server uses option `server 10.0.70.0/24` as **"Trusted"** subnet to grab dynamic IPs for all your Clients which, by default will have full access to your **"Private/Home"** subnet, as well as Internet over VPN.
However you can be desired to share internet over VPN with specific, Guest Clients and restrict access to your **"Private/Home"** subnet. For this scenario [Openvpn-Server's](https://github.com/d3vilh/openvpn-server) `server.conf` configuration file has special `route 10.0.71.0/24` option, aka **"Guest users"** subnet.
