Merge f641e8574facf5cb3e6d1c524825d6d708ef07d0 into 6bc113f4f95fb5a04038d6c782e12a503aa1149e

docker-compose.yaml

@@ -1,5 +1,12 @@
 version: '3'
 
+networks:
+  vpn-internal:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.18.0.0/16
+
 services:
   openvpn:
     build:
@@ -8,17 +15,23 @@ services:
     image: openvpn:local
     command: /etc/openvpn/setup/configure.sh
     environment:
-      OVPN_SERVER_NET: "192.168.100.0"
+      OVPN_SERVER_NET: "10.8.0.0"
       OVPN_SERVER_MASK: "255.255.255.0"
       OVPN_PASSWD_AUTH: "true"
+      OVPN_CUSTOM_ROUTES: "172.18.0.0 255.255.0.0"
     cap_add:
       - NET_ADMIN
+    sysctls:
+      - net.ipv4.ip_forward=1
     ports:
-      - 7777:1194 # for openvpn
+      - 7777:1194/udp # Changed to UDP for better performance
       - 8080:8080 # for ovpn-admin because of network_mode
     volumes:
       - ./easyrsa_master:/etc/openvpn/easyrsa
       - ./ccd_master:/etc/openvpn/ccd
+    networks:
+      - vpn-internal
+
   ovpn-admin:
     build:
       context: .
@@ -28,16 +41,25 @@ services:
     environment:
       OVPN_DEBUG: "true"
       OVPN_VERBOSE: "true"
-      OVPN_NETWORK: "192.168.100.0/24"
+      OVPN_NETWORK: "10.8.0.0/24"
       OVPN_CCD: "true"
       OVPN_CCD_PATH: "/mnt/ccd"
       EASYRSA_PATH: "/mnt/easyrsa"
-      OVPN_SERVER: "127.0.0.1:7777:tcp"
+      OVPN_SERVER: "13.127.115.63:7777:udp" # Changed to UDP
       OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
       OVPN_AUTH: "true"
+      OVPN_CIPHER: "AES-256-GCM"
       OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
       LOG_LEVEL: "debug"
     network_mode: service:openvpn
     volumes:
       - ./easyrsa_master:/mnt/easyrsa
       - ./ccd_master:/mnt/ccd
+
+  nginx:
+    image: nginx:alpine
+    container_name: vpn-nginx
+    networks:
+      vpn-internal:
+        ipv4_address: 172.18.0.10
+    restart: unless-stopped

setup/configure.sh

@@ -4,10 +4,9 @@ set -ex
 EASY_RSA_LOC="/etc/openvpn/easyrsa"
 SERVER_CERT="${EASY_RSA_LOC}/pki/issued/server.crt"
 
-OVPN_SRV_NET=${OVPN_SERVER_NET:-172.16.100.0}
+OVPN_SRV_NET=${OVPN_SERVER_NET:-10.8.0.0}
 OVPN_SRV_MASK=${OVPN_SERVER_MASK:-255.255.255.0}
 
-
 cd $EASY_RSA_LOC
 
 if [ -e "$SERVER_CERT" ]; then
@@ -34,6 +33,9 @@ easyrsa gen-crl
 iptables -t nat -D POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} ! -d ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -j MASQUERADE || true
 iptables -t nat -A POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} ! -d ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -j MASQUERADE
 
+# Fixed: Use environment variables instead of hardcoded values
+iptables -t nat -A POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -d 172.18.0.0/16 -j MASQUERADE
+
 mkdir -p /dev/net
 if [ ! -c /dev/net/tun ]; then
     mknod /dev/net/tun c 10 200
@@ -41,6 +43,11 @@ fi
 
 cp -f /etc/openvpn/setup/openvpn.conf /etc/openvpn/openvpn.conf
 
+# Add custom routes if specified
+if [ ! -z "${OVPN_CUSTOM_ROUTES}" ]; then
+  echo 'push "route '${OVPN_CUSTOM_ROUTES}'"' >> /etc/openvpn/openvpn.conf
+fi
+
 if [ ${OVPN_PASSWD_AUTH} = "true" ]; then
   mkdir -p /etc/openvpn/scripts/
   cp -f /etc/openvpn/setup/auth.sh /etc/openvpn/scripts/auth.sh
@@ -56,4 +63,5 @@ fi
 
 mkdir -p /etc/openvpn/ccd
 
-openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}
+# Fixed: Changed to UDP and use environment variables
+openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto udp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}

setup/openvpn.conf

@@ -8,7 +8,12 @@ dh /etc/openvpn/easyrsa/pki/dh.pem
 crl-verify /etc/openvpn/easyrsa/pki/crl.pem
 tls-auth /etc/openvpn/easyrsa/pki/ta.key
 key-direction 0
-cipher AES-128-CBC
+
+# Modern cipher configuration - UPDATED
+cipher AES-256-GCM
+data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
+data-ciphers-fallback AES-128-CBC
+
 #management 127.0.0.1 8989
 keepalive 10 60
 persist-key
@@ -23,4 +28,4 @@ user nobody
 group nogroup
 push "topology subnet"
 push "route-metric 9999"
-push "dhcp-option DNS 1.1.1.1"
+push "dhcp-option DNS 1.1.1.1"

start.sh

@@ -2,4 +2,4 @@
 
 # About 'docker compose' and 'docker-compose'
 # We are using Docker Compose in plugin mode with Docker. For more details, see: https://docs.docker.com/compose/install/linux/. If you need to use the standalone Docker Compose, you can modify the command `docker compose` to `docker-compose` accordingly.
-docker compose -p openvpn-master up -d --build
+docker compose -f docker-compose.yaml up -d --build

templates/client.conf.tpl

@@ -2,24 +2,36 @@
 remote {{ $server.Host }} {{ $server.Port }} {{ $server.Protocol }}
 {{- end }}
 
+# -- General Settings -- #
+
 verb 4
 client
 nobind
 dev tun
-cipher AES-128-CBC
+
+# -- Security & Encryption -- #
+
+cipher AES-256-GCM
 key-direction 1
-#redirect-gateway def1
 tls-client
 remote-cert-tls server
+
+# uncomment below line if want to redirect all trafic from vpn 
+# redirect-gateway def1  
+
+# -- DNS Handing -- #
+
 # uncomment below lines for use with linux
+
 #script-security 2
-# if you use resolved
 #up /etc/openvpn/update-resolv-conf
 #down /etc/openvpn/update-resolv-conf
+
 # if you use systemd-resolved first install openvpn-systemd-resolved package
 #up /etc/openvpn/update-systemd-resolved
 #down /etc/openvpn/update-systemd-resolved
 
+
 {{- if .PasswdAuth }}
 auth-user-pass
 {{- end }}