├── .gitignore ├── sockd.sh ├── sockd.conf ├── start ├── Dockerfile ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.ovpn 2 | -------------------------------------------------------------------------------- /sockd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | [ -f /etc/openvpn/up.sh ] && /etc/openvpn/up.sh "$@" 4 | /usr/sbin/sockd -D 5 | -------------------------------------------------------------------------------- /sockd.conf: -------------------------------------------------------------------------------- 1 | logoutput: stderr 2 | 3 | internal: eth0 port = 1080 4 | external: tun0 5 | 6 | user.unprivileged: sockd 7 | 8 | socksmethod: none 9 | clientmethod: none 10 | 11 | client pass { 12 | from: 0.0.0.0/0 to: 0.0.0.0/0 13 | log: error 14 | } 15 | 16 | socks pass { 17 | from: 0.0.0.0/0 to: 0.0.0.0/0 18 | } 19 | -------------------------------------------------------------------------------- /start: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec docker run \ 4 | --rm \ 5 | --tty \ 6 | --interactive \ 7 | --device=/dev/net/tun \ 8 | --name=openvpn-client \ 9 | --cap-add=NET_ADMIN \ 10 | --publish 127.0.0.1:1080:1080 \ 11 | --volume "$(realpath "$1"):/etc/openvpn/:ro" \ 12 | --sysctl net.ipv6.conf.all.disable_ipv6=0 \ 13 | kizzx2/openvpn-client-socks 14 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # OpenVPN client + SOCKS proxy 2 | # Usage: 3 | # Create configuration (.ovpn), mount it in a volume 4 | # docker run --volume=something.ovpn:/ovpn.conf:ro --device=/dev/net/tun --cap-add=NET_ADMIN 5 | # Connect to (container):1080 6 | # Note that the config must have embedded certs 7 | # See `start` in same repo for more ideas 8 | 9 | FROM alpine 10 | 11 | COPY sockd.sh /usr/local/bin/ 12 | 13 | RUN true \ 14 | && apk add --update-cache dante-server openvpn bash openresolv openrc \ 15 | && rm -rf /var/cache/apk/* \ 16 | && chmod a+x /usr/local/bin/sockd.sh \ 17 | && true 18 | 19 | COPY sockd.conf /etc/ 20 | 21 | ENTRYPOINT [ \ 22 | "/bin/bash", "-c", \ 23 | "cd /etc/openvpn && /usr/sbin/openvpn --config *.conf --script-security 2 --up /usr/local/bin/sockd.sh" \ 24 | ] 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Chris Yuen 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | === 24 | 25 | The MIT License (MIT) 26 | 27 | Copyright (c) 2016 Mook 28 | 29 | Permission is hereby granted, free of charge, to any person obtaining a copy 30 | of this software and associated documentation files (the "Software"), to deal 31 | in the Software without restriction, including without limitation the rights 32 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 33 | copies of the Software, and to permit persons to whom the Software is 34 | furnished to do so, subject to the following conditions: 35 | 36 | The above copyright notice and this permission notice shall be included in all 37 | copies or substantial portions of the Software. 38 | 39 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 40 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 41 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 42 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 43 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 44 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 45 | SOFTWARE. 46 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenVPN-client 2 | 3 | This is a docker image of an OpenVPN client tied to a SOCKS proxy server. It is 4 | useful to isolate network changes (so the host is not affected by the modified 5 | routing). 6 | 7 | This supports directory style (where the certificates are not bundled together in one `.ovpn` file) and those that contains `update-resolv-conf` 8 | 9 | (For the same thing in WireGuard, see [kizzx2/docker-wireguard-socks-proxy](https://github.com/kizzx2/docker-wireguard-socks-proxy)) 10 | 11 | ## Why? 12 | 13 | This is arguably the easiest way to achieve "app based" routing. For example, you may only want certain applications to go through your WireGuard tunnel while the rest of your system should go through the default gateway. You can also achieve "domain name based" routing by using a [PAC file](https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file) that most browsers support. 14 | 15 | ## Usage 16 | 17 | Preferably, using `start` in this repository: 18 | ```bash 19 | start /your/openvpn/directory 20 | ``` 21 | 22 | `/your/openvpn/directory` should contain *one* OpenVPN `.conf` file. It can reference other certificate files or key files in the same directory. 23 | 24 | Alternatively, using `docker run` directly: 25 | 26 | ```bash 27 | docker run -it --rm --device=/dev/net/tun --cap-add=NET_ADMIN \ 28 | --name openvpn-client \ 29 | --volume /your/openvpn/directory/:/etc/openvpn/:ro -p 1080:1080 \ 30 | kizzx2/openvpn-client-socks 31 | ``` 32 | 33 | Then connect to SOCKS proxy through through `localhost:1080` / `local.docker:1080`. For example: 34 | 35 | ```bash 36 | curl --proxy socks5h://local.docker:1080 ipinfo.io 37 | ``` 38 | 39 | ## Solutions to Common Problems 40 | 41 | ### I'm getting `RTNETLINK answers: Permission denied` 42 | 43 | Try adding `--sysctl net.ipv6.conf.all.disable_ipv6=0` to your docker command 44 | 45 | ### DNS doesn't work 46 | 47 | You can put a `update-resolv-conf` as your `up` script. One simple way is to put [this file](https://gist.github.com/Ikke/3829134) as `up.sh` inside your OpenVPN configuration directory. 48 | 49 | ## HTTP Proxy 50 | 51 | You can easily convert this to an HTTP proxy using [http-proxy-to-socks](https://github.com/oyyd/http-proxy-to-socks), e.g. 52 | 53 | ```bash 54 | hpts -s 127.0.0.1:1080 -p 8080 55 | ``` 56 | --------------------------------------------------------------------------------