Dockerfile for the creation of an OpenVPN container

OpenVPN-Dockerfile

FROM ubuntu:16.04

# VARS

ENV KEY_COUNTRY CO
ENV KEY_PROVINCE VALLE
ENV KEY_CITY CALI
ENV KEY_ORG MyOrganization
ENV KEY_EMAIL [email protected]
ENV KEY_OU Community
ENV KEY_NAME server

RUN apt update
RUN apt install expect openvpn easy-rsa ufw curl linux-image-$(uname -r) -y

RUN make-cadir /root/openvpn-ca

WORKDIR /root/openvpn-ca

RUN sed -i 's/\(export KEY_COUNTRY="\)\(.*\)\("\)/export KEY_COUNTRY=\"$KEY_COUNTRY\"/g' /root/openvpn-ca/vars \
	&& sed -i 's/\(export KEY_PROVINCE="\)\(.*\)\("\)/export KEY_PROVINCE=\"$KEY_PROVINCE\"/g' /root/openvpn-ca/vars \
	&& sed -i 's/\(export KEY_CITY="\)\(.*\)\("\)/export KEY_CITY=\"$KEY_CITY\"/g' /root/openvpn-ca/vars \
	&& sed -i 's/\(export KEY_ORG="\)\(.*\)\("\)/export KEY_ORG=\"$KEY_ORG\"/g' /root/openvpn-ca/vars \
	&& sed -i 's/\(export KEY_EMAIL="\)\(.*\)\("\)/export KEY_EMAIL=\"$KEY_EMAIL\"/g' /root/openvpn-ca/vars \
	&& sed -i 's/\(export KEY_OU="\)\(.*\)\("\)/export KEY_OU=\"$KEY_OU\"/g' /root/openvpn-ca/vars \
	&& sed -i 's/\(export KEY_NAME="\)\(.*\)\("\)/export KEY_NAME=\"$KEY_NAME\"/g' /root/openvpn-ca/vars

RUN /bin/bash -c 'source vars && ./clean-all'

RUN /bin/bash -c "source vars && echo -e '#\!/usr/bin/expect -f\nspawn ./build-ca\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect \":\"\nsend \"\\\\r\"\nexpect EOF\n' | /usr/bin/expect -f -"

RUN /bin/bash -c "source vars && echo -e '#\!/usr/bin/expect -f\nset timeout 120\nspawn ./build-key-server server\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \":\"\nsend -- \"\\\\r\"\nexpect -exact \"]:\"\nsend -- \"y\\\\r\"\nexpect -exact \"n]\"\nsend -- \"y\\\\r\"\nexpect EOF\n' | /usr/bin/expect -f -"

RUN /bin/bash -c 'source vars && ./build-dh'

RUN openvpn --genkey --secret /root/openvpn-ca/keys/ta.key

WORKDIR /root/openvpn-ca/keys

RUN cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

RUN gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | tee /etc/openvpn/server.conf

RUN sed -i 's/;tls-auth /tls-auth /g' /etc/openvpn/server.conf \
		&& sed -i '/tls-auth/a key-direction 0' /etc/openvpn/server.conf \
		&& sed -i 's/;cipher AES-128-CBC/cipher AES-128-CBC/g' /etc/openvpn/server.conf \
		&& sed -i '/AES-128-CBC/a auth SHA256' /etc/openvpn/server.conf \
		&& sed -i 's/;user nobody/user nobody/g' /etc/openvpn/server.conf \
		&& sed -i 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf \
		&& sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf \
		&& sed -i 's/;push "dhcp-option DNS/push "dhcp-option DNS/g' /etc/openvpn/server.conf

RUN sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf 


RUN sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0] \n# Allow traffic from OpenVPN client to $(ip route | grep default | awk -F ' ' '{print $5}')\n-A POSTROUTING -s 10.8.0.0/8 -o $(ip route | grep default | awk -F ' ' '{print $5}') -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules

RUN sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw

RUN mkdir -p ~/client-configs/files && chmod 700 ~/client-configs/files

RUN cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

RUN sed -i "s/my-server-1/$(curl ipinfo.io/ip)/g" ~/client-configs/base.conf \
		&& sed -i 's/;user nobody/user nobody/g' ~/client-configs/base.conf \
		&& sed -i 's/;group nogroup/group nogroup/g' ~/client-configs/base.conf \
		&& sed -i "s/ca ca.crt/#ca ca.crt/g" ~/client-configs/base.conf \
		&& sed -i "s/cert client.crt/#cert client.crt/g" ~/client-configs/base.conf \
		&& sed -i "s/key client.key/#key client.key/g" ~/client-configs/base.conf \
		&& sed -i "/;cipher x/a cipher AES-128-CBC\nauth SHA256\nkey-direction 1" ~/client-configs/base.conf \
		&& echo -e "#script-security 2\n#up /etc/openvpn/update-resolv-conf\n#down /etc/openvpn/update-resolv-conf" >> ~/client-configs/base.conf

RUN echo -e '#!/bin/bash\n\n# First argument: Client identifier\n\nKEY_DIR=/root/openvpn-ca/keys\nOUTPUT_DIR=~/client-configs/files\nBASE_CONFIG=~/client-configs/base.conf\n\ncat ${BASE_CONFIG} \\\n    <(echo -e '\''<ca>'\'') \\\n    ${KEY_DIR}/ca.crt \\\n    <(echo -e '\''</ca>\n<cert>'\'') \\\n    ${KEY_DIR}/${1}.crt \\\n    <(echo -e '\''</cert>\n<key>'\'') \\\n    ${KEY_DIR}/${1}.key \\\n    <(echo -e '\''</key>\n<tls-auth>'\'') \\\n    ${KEY_DIR}/ta.key \\\n    <(echo -e '\''</tls-auth>'\'') \\\n    > ${OUTPUT_DIR}/${1}.ovpn\n' >> ~/client-configs/make_config.sh && chmod 700 ~/client-configs/make_config.sh

# PRIVILEDGE OPERATIONS

RUN echo -e '#!/bin/bash\nsysctl -p\nufw allow 1194/udp\nufw disable && ufw enable\n/etc/init.d/openvpn start' >> ~/initial_start.sh && chmod 755 ~/initial_start.sh

WORKDIR /root

ENTRYPOINT /etc/init.d/openvpn start && /bin/bash

Dockerfile representation of the following guide: https://www.digitalocean.com/community/tutorials/como-configurar-un-servidor-openvpn-en-ubuntu-16-04-es (spanish)