A lightweight Alpine based ocserv Docker image.
You can either start by using the pre-built image or by building your own for more customization.
A pre-built image is available with the best configurations out of the box. Follow the instructions below to get up and running.
- 2 Device connections for each user (
max-same-clients=2) - Up to 16 clients (
max-clients=16) - 10.10.10.0/24 as the internal IP pool
- Listens on port 1342 (can be changed by altering port mappings when you run the container)
- Tunnels DNS to the server (
tunnel-all-dns=true)
Note: All limits can be increased or set to be unlimited in ocserv.conf
by building your own image.
By default docker-compose.yml and the instructions written in this document use the latest
tag of the image which represents the latest commit in the master branch. Besides that, tagged commits are also
available if you want to make sure no breaking changes enter your setup. To do so, check out
tags in our docker hub repo.
However, if you would like to get the cutting edge features you can always use the next tag which represents the
latest commit in the develop branch.
In any case, if you want to build the image yourself, run the pre-built one with docker run or with docker-compose,
in all cases you will need an SSL certificate, It's up to you how you would like to generate it, perhaps you already
have some kind of setup for that on your server, in case you don't, use the
following image to generate one:
Note: You need to have a domain pointing to your server IP address and ports 80 and 443 available to be listened to by the container for letsencrypt ACME challenge verification.
sudo docker run -it --rm --name certbot -p 80:80 -p 443:443 \
-v $(pwd)/certs:/etc/letsencrypt certbot/certbot \
certonly --standalone -m <email> -d <domain> -n --agree-tosIf you can't create one (most often because ports 80 and 443 are not available on your server, or you don't have a domain), a fallback script will generate a self-signed certificate for you inside the container. The only difference is a warning message about the certificate not being trusted (due to being self-signed) when logging in.
Now that we are done with the certificate, you have to run the container.
NOTE: If you haven't generated a certificate in the previous step, remove volume mountings to cert paths in your chosen method. As stated previously a self-signed certificate will be generated automatically with the downside of untrusted certificate warning at the logging phase.
I highly recommend using docker-compose for running your container, feel free to change the port by
editing docer-compose.yml.
wget https://raw.githubusercontent.com/Pezhvak/docker-ocserv/develop/docker-compose.yml
# IMPORTANT: Make sure you have updated the cert paths in volumes section
# of the docker-compose.yml before running it.
docker-compose up -dIf you prefer to use docker run all you have to do is to execute the following command:
docker run \
--name ocserv \
--restart=always \
-p 1342:443 \
-v $(pwd)/data/ocserv:/etc/ocserv/data \
-v $(pwd)/certs/live/<domain>/fullchain.pem:/etc/ocserv/server-cert.pem \
-v $(pwd)/certs/live/<domain>/privkey.pem:/etc/ocserv/server-key.pem \
pezhvak/ocserv Your ocserv should be up and running now, you will have to create a user to be able to connect.
To update to the latest version, simply pull the image from docker hub.
# This will pull the image from docker hub
docker-compose pull
# Running 'up' again will detect the newer image and recreates the container
docker-compose up -d# Pull the image from docker hub
docker pull pezhvak/ocserv
# Restart the container
docker restart ocservAlthough it's easier to use the pre-built image, it has its own downsides. namely, the limitations described here.
If you want to change the default configurations, you will have to build the image yourself, just clone the repo and change the files you need.
Configuration files are stored in the config directory. you can also modify
scripts/docker-entrypoint.sh if needed.
1- Clone the repository to your server:
git clone https://github.com/Pezhvak/docker-ocserv.git
cd docker-ocserv2- Build the image with your own settings, feel free to change config/ocserv.conf to your liking:
docker build -t <image_name> .3- Follow the steps of Using Built Image (Change pezhvak/ocserv to your own image name)
I have created a simple proxy shell (ocuser) in the image for easier interaction with ocpasswd.
Add the specified user to the password file (You will be asked to provide a password after running the command)
docker exec -it ocserv ash -c "ocuser create <username>"Remove the specified user from the password file:
docker exec ocserv ash -c "ocuser delete <username>"Prevent the specified user from logging in:
docker exec ocserv ash -c "ocuser lock <username>"Re-enable login for the specified user
docker exec ocserv ash -c "ocuser unlock <username>"Now that everything is set up and the user is created, you can connect to server using terminal or one of the available applications:
Make sure you have installed openconnect on your machine, you can do that in MacOS using brew install openconnect.
echo "<PASSWORD>" | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdinYou can also create an alias in your ~/.bash_profile (or ~/.zshrc if you're using zsh) for easier access:
alias vpn:oc="echo <PASSWORD> | sudo openconnect <DOMAIN>:<PORT> -u <USERNAME> --passwd-on-stdin"I appreciate these repositories which inspired me and helped me to put the pieces together: