Docker Nordvpn

2018-09-11 2021-04-05 /

Hi, If been working on a small project to let my containers connect to NordVPN. This by using OpenVPN in a container that connects to NordVPN. Thanks to Docker networking, you can connect other container (s) to that container to use that network. Some features that this image will provide: - Connects to the recommended server for you!

4 min readDocker
  • Hey all, Just after some advice on what the best free VPN is to get with unlimited download amount (or something around 10GB is fine too). I only get 750kb/s down anyway so not fussed if there's a slight speed cap.
  • Hi, If been working on a small project to let my containers connect to NordVPN. This by using OpenVPN in a container that connects to NordVPN. Thanks to Docker networking, you can connect other container (s) to that container to use that network. Some features that this image will provide: - Connects to the recommended server for you!
  • It is possible to use the NordVPN Linux CLI app within a Docker container. In order to do that, you have to use the following NordVPN Dockerfile configuration to set up your Docker container.
  • NORDVPN The update script is based on the NordVPN API. The API sends back the best recommended OpenVPN configuration file based on the filters given. Available ENV variables in the container to define via the NordVPN API the file to use are.

I’ve worked with both ExpressVPN and NordVPN. Both are great services but, from my perspective, have one major shortcoming: they’re currently blocked by Amazon Web Services (AWS). When using either of them you are simply not able to access any of the AWS services.

The most common scenario in which I’d be using a VPN is if I’m on a restrictive network where I’m only able to access web sites. Typically just ports 80, 8080 and 443 are open. Forget about SSH (port 22), SMTP (ports 25, 465 and 587) or NTP (port 123). I want to be able to connect by SSH to my AWS servers, send mail over SMTP and synchronise my clock. The latter items are normally possible over commercial VPN providers (like ExpressVPN and NordVPN) but not being able to connect to AWS is a deal breaker.

Luckily there is a simple solution: run your own VPN server. Using a low end cloud instance on AWS or DigitalOcean (costing $5 or less per month) this is eminently plausible.

Launch a Cloud Server

Obviously this step needs to be done before you actually need the VPN! Spin up a minimal Ubuntu server on the cloud service of your choice (we’ll be using AWS for illustration).

Open ports 1194 (UDP) and 443 (TCP) on the server.

Make a SSH connection to the remote server (assuming that port 22 is open by default!). The instructions which follow should all be executed on the remote server.

Preliminaries

We’re going to need Docker, so install it now! We’ll be using the kylemanna/openvpn Docker image (source repository is here). Start by pulling the image.

The VPN configuration and certificates will be stored in a Docker volume. Create that now.

You can check the contents of this volume using the following:

Grab the (public) DNS name for the server and stash it in a shell variable.

To reduce the volume of logging information it can be handy to include the --log-driver=none option with the folowing invocations of docker.

UDP

First we’ll set up a VPN operating over UDP on port 1194. From a bandwidth perspective this is efficient, but this port may well be closed (in which case see the TCP option below).

Generate the OpenVPN configuration.

Docker nordvpn transmission

Initialise the EasyRSA Public Key Infrastructure (PKI).

Enter and verify a suitable private key (PEM) pass phrase when prompted. At the prompt for a Common Name, just accept the default. Boil the kettle. Enter the pass phrase when prompted. And again.

Now launch the OpenVPN daemon process.

TCP

Execute the commands below for a VPN over TCP on port 443 (this is the port for HTTPS, so is almost definitely going to be open, no matter how repressive the network!).

Launch the daemon.

User and Configuration

Regardless of whether you are creating a VPN over TCP or UCP, you now need to create the configuration file which will be used with the openvpn client on your local machine.

Let’s set up a key for Alice.

Enter the pass phrase when prompted.

Docker Nordvpn

How about a key for another user, Bob?

We didn’t specify the nopass option for Bob, so he’ll need to provide a password every time that he connects. This is probably a good idea!

Now disconnect from the server.

Docker Nordvpn

Connecting

Now, back on your local machine use SFTP or SCP to get a local copy of the .ovpn file from the server.

Docker Nordvpn

Install OpenVPN.

Nordvpn

Connect to the VPN.

If everything goes well then you should see “Initialization Sequence Completed”. Confirm that your effective IP address is now that of the VPN server. Enjoy!

Network -> VPN and also in the top panel which lists users, battery, etc:```sudo nmcli connection import type openvpn file CLIENTNAME.ovpn```-->

Conclusion

This setup is simple and cost effective. Typically I’ll only need a VPN for a few days in succession, so it’s very convenient that I can literally spin up a VPN when I know that I’m going to need it, then take it down when I’m done. No long term commitment. No hassles accessing any port or protocol I need.

This is a list of providers that are currently usable with the image (*TODO update with latest list). Feel free to create an issue at the NEW provider repo: https://github.com/haugene/vpn-configs-contrib if your provider is not on the list, but keep in mind that some providers generate config files per user. This means that your login credentials are part of the config an can therefore not be bundled. In this case you can use the custom provider setup described later in this readme. The custom provider setting can be used with any provider.

Provider NameConfig Value (OPENVPN_PROVIDER)
AnonineANONINE
AnonVPNANONVPN
BlackVPNBLACKVPN
BTGuardBTGUARD
CryptostormCRYPTOSTORM
ExpressVPNEXPRESSVPN
FastestVPNFASTESTVPN
FreeVPNFREEVPN
FrootVPNFROOT
FrostVPNFROSTVPN
GhostPathGHOSTPATH
GiganewsGIGANEWS
HideMeHIDEME
HideMyAssHIDEMYASS
IntegrityVPNINTEGRITYVPN
IPVanishIPVANISH
IronSocketIRONSOCKET
IvacyIVACY
IVPNIVPN
MullvadMULLVAD
NordVPNNORDVPN
OctaneVPNOCTANEVPN
OVPNOVPN
Private Internet AccessPIA
PrivadoPRIVADO
PrivateVPNPRIVATEVPN
ProtonVPNPROTONVPN
proXPNPROXPN
PureVPNPUREVPN
RA4W VPNRA4W
SaferVPNSAFERVPN
SlickVPNSLICKVPN
Smart DNS ProxySMARTDNSPROXY
SmartVPNSMARTVPN
SurfsharkSURFSHARK
TigerVPNTIGER
TorGuardTORGUARD
Trust.ZoneTRUSTZONE
TunnelBearTUNNELBEAR
VPNArea.comVPNAREA
VPNBook.comVPNBOOK
VPNFacileVPNFACILE
VPNTunnelVPNTUNNEL
VPNUnlimitedVPNUNLIMITED
VPN.ACVPNAC
VPN.htVPNHT
VyprVpnVYPRVPN
WindscribeWINDSCRIBE
ZoogVPNZOOGVPN

Adding new providers¶

If your VPN provider is not in the list of supported providers you could always create an issue on GitHub at our dedicated provider repo: https://github.com/haugene/vpn-configs-contrib and see if someone could add it for you. But if you're feeling up for doing it yourself, here's a couple of pointers.

(*TODO this section will need quite a bit of updates once the split is released)You clone this repository and create a new folder under 'openvpn' where you put the .ovpn files your provider gives you. Depending on the structure of these files you need to make some adjustments. For example if they come with a ca.crt file that is referenced in the config you need to update this reference to the path it will have inside the container (which is /etc/openvpn/...). You also have to set where to look for your username/password.

There is a script called adjustConfigs.sh that could help you. After putting your .ovpn files in a folder, run that script with your folder name as parameter and it will try to do the changes described above. If you use it or not, reading it might give you some help in what you're looking to change in the .ovpn files.

Once you've finished modifying configs, you build the container and run it with OPENVPN_PROVIDER set to the name of the folder of configs you just created (it will be lowercased to match the folder names). And that should be it!

So, you've just added your own provider and you're feeling pretty good about it! Why don't you fork this repository, commit and push your changes and submit a pull request? Share your provider with the rest of us! :) Please submit your PR to the dev branch in that case.

Using a custom provider¶

If you want to run the image with your own provider without building a new image, that is also possible. For some providers, like AirVPN, the .ovpn files are generated per user and contains credentials. They should not be added to a public image. This is what you do:

Add a new volume mount to your docker run command that mounts your config file:-v /path/to/your/config.ovpn:/etc/openvpn/custom/default.ovpn

Then you can set OPENVPN_PROVIDER=CUSTOMand the container will use the config you provided.NOTE: Your .ovpn config file probably contains a line that says auth-user-pass. This will prompt OpenVPN to ask for theusername and password. As this is running in a scripted environment that is not possible. Change it for auth-user-pass /config/openvpn-credentials.txtwhich is the file where your OPENVPN_USERNAME and OPENVPN_PASSWORD variables will be written to.

Nord Vpn Synology Router

If you are using AirVPN or other provider with credentials in the config file, you still needto set OPENVPN_USERNAME and OPENVPN_PASSWORD as this is required by the startup script.They will not be read by the .ovpn file, so you can set them to whatever.

Note that you still need to modify your .ovpn file as described in the previous section.If you have an separate ca.crt, client.key or client.crt file in your volume mount should be a folder containing both the ca.crt and the .ovpn config.

Mount the folder contianing all the required files instead of the openvpn.ovpn file.-v /path/to/your/config/:/etc/openvpn/custom/

Additionally the .ovpn config should include the full path on the docker container to the ca.crt and additional files.ca /etc/openvpn/custom/ca.crt

Docker Nordvpn Download

Docker

Docker Nordvpn Transmission

If -e OPENVPN_CONFIG= variable has been omitted from the docker run command the .ovpn config file must be named default.ovpn.If -e OPENVPN_CONFIG= is used with the custom provider the .ovpn config and variable must match as described above.