Introduction

Setting up a VPN server can feel daunting if you’re new to networking or containerization. However, running OpenVPN inside a Docker container offers a manageable and flexible way to create your own secure VPN service. This approach is especially useful if you want to isolate the VPN server environment, simplify deployment, or easily move your VPN setup between machines.

In this guide, we’ll walk through the process of running OpenVPN in Docker, starting from what the setup looks like and what you need, to detailed configuration and testing. Whether you’re a curious beginner or a general VPN user looking to self-host, this article will help you build a reliable OpenVPN server inside a Docker container. Later sections dive into technical details like control and data plane separation, TLS authentication, and network routing to help you understand and troubleshoot your setup.

This DIY guide explains running OpenVPN in a docker container with a practical setup path, validation steps, and the details needed to build it safely.

What You Are Building

At its core, OpenVPN is a software-based VPN server that creates encrypted tunnels for your internet traffic, allowing secure remote access or private networking. Running OpenVPN in Docker means packaging the OpenVPN server and its dependencies inside a lightweight container. This container runs isolated from your host system but shares the host’s network interfaces as configured.

Your Dockerized OpenVPN server will:

• Authenticate clients using TLS certificates.
• Encrypt and route VPN traffic securely over UDP or TCP.
• Manage client IP addressing and routing rules.
• Provide an easy way to start, stop, and update the VPN server.

This setup is ideal for home labs, small businesses, or anyone wanting a portable VPN server without installing OpenVPN directly on the host OS.

Prerequisites

Before you start, make sure you have the following:

• A Linux or Windows machine with Docker installed and running.
• Basic familiarity with Docker commands and networking concepts.
• A public IP address or a domain name pointing to your server if you want remote access.
• At least one client device (laptop, phone) to connect to the VPN.
• OpenVPN configuration files or the ability to generate them (we’ll cover this).

You’ll also need some command-line tools like openssl and docker-compose (optional but recommended for managing multi-container setups).

Step-by-Step Setup

1. Pull the OpenVPN Docker Image

The most popular and maintained OpenVPN Docker image is by kylemanna, which includes EasyRSA for certificate management.

docker pull kylemanna/openvpn

2. Initialize the PKI (Public Key Infrastructure)

The PKI handles the creation of your Certificate Authority (CA), server certificates, and client certificates. Run this command to create the necessary files:

docker run -v /path/to/ovpn-data:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://YOUR_SERVER_IP
docker run -v /path/to/ovpn-data:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki

Replace /path/to/ovpn-data with a persistent directory on your host and YOUR_SERVER_IP with your server’s IP or domain.

3. Start the OpenVPN Server Container

Run the container in detached mode, exposing the VPN port (default UDP 1194):

docker run -v /path/to/ovpn-data:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

The --cap-add=NET_ADMIN flag allows the container to modify network interfaces, necessary for VPN routing.

4. Generate Client Certificates

Create a client certificate and generate the .ovpn configuration file:

docker run -v /path/to/ovpn-data:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run -v /path/to/ovpn-data:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

Replace CLIENTNAME with a name for your client device.

5. Connect Your Client

Import the CLIENTNAME.ovpn file into your OpenVPN client app (available for Windows, macOS, Linux, iOS, Android) and connect.

Configuration Details

OpenVPN’s architecture separates the control plane and data plane:

• Control Plane: Manages authentication, authorization, and key exchange using TLS. This ensures only authorized clients connect.
• Data Plane: Handles the actual encrypted traffic flow through the VPN tunnel.

Running OpenVPN in Docker means the container manages both planes inside a controlled environment. The container’s network settings and capabilities (NET_ADMIN) allow it to create virtual network interfaces (tun devices) and route traffic.

OpenVPN typically uses UDP port 1194 for better performance but can fall back to TCP if needed. The PKI system relies on EasyRSA to generate certificates that authenticate clients and the server mutually.

Validation and Testing

Once your server and client are configured:

• Test connectivity: Connect the client and ping the server VPN IP (usually 10.8.0.1).
• Check routing: Verify that internet traffic routes through the VPN by checking your public IP on the client.
• Inspect logs: Use docker logs <container_id> to view OpenVPN server logs for errors or connection info.
• Use diagnostic commands: Inside the container, commands like ip addr and iptables -L help verify network interfaces and firewall rules.

Common Mistakes

• Incorrect volume paths: The persistent volume /path/to/ovpn-data must be consistent across commands to retain certificates and configuration.
• Missing NET_ADMIN capability: Without this, the container cannot create tun devices or modify routes.
• Firewall blocking VPN port: Ensure UDP 1194 (or your chosen port) is open on your server firewall.
• Using TCP instead of UDP without reason: TCP VPNs can be slower due to double retransmission.
• Not renewing certificates: Client certificates may expire and need renewal.

Hardening Tips

• Use strong TLS ciphers and keys (OpenVPN defaults are secure but can be customized).
• Enable client certificate revocation to remove compromised clients.
• Configure firewall rules to restrict access to the VPN port.
• Regularly update the Docker image to get security patches.
• Use Docker secrets or environment variables carefully to avoid leaking sensitive info.
• Consider running OpenVPN with limited privileges inside Docker.

Related Reading

Related protocol articles:

• OpenVPN Architecture Explained
• WireGuard vs OpenVPN Performance Benchmark
• OpenVPN Performance Optimization

Troubleshooting articles:

• Fix VPN DNS Leaks
• Slow VPN Speed Fix

Foundational article:

• AES vs ChaCha20: Which Encryption Is Better for VPNs

Conclusion

Running OpenVPN in Docker is a practical way to deploy a secure VPN server with portability and ease of management. By following this guide, you can set up a robust VPN environment that isolates network functions inside a container, simplifies upgrades, and provides strong encryption and authentication.

Understanding the separation of control and data planes, certificate management, and Docker networking helps you troubleshoot and optimize your VPN server. With proper validation and hardening, your Dockerized OpenVPN server can serve as a reliable gateway for secure remote access.

References

• RFC 4301: Security Architecture for IP
• RFC 7296: Internet Key Exchange Protocol Version 2
• RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
• RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
• NIST SP 800-207: Zero Trust Architecture
• OpenVPN Community Resources
• Docker Compose File Reference