1st - updated ciphers and some configuration

2026-02-04 01:10:22 -08:00 · 2025-08-26 16:41:44 +05:30 · 2025-08-26 16:41:44 +05:30 · f641e8574f
commit f641e8574f
parent 6bc113f4f9
5 changed files with 60 additions and 13 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -1,5 +1,12 @@
 version: '3'

+networks:
+  vpn-internal:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.18.0.0/16
+
 services:
  openvpn:
    build:
@ -8,17 +15,23 @@ services:
    image: openvpn:local
    command: /etc/openvpn/setup/configure.sh
    environment:
-      OVPN_SERVER_NET: "192.168.100.0"
+      OVPN_SERVER_NET: "10.8.0.0"
      OVPN_SERVER_MASK: "255.255.255.0"
      OVPN_PASSWD_AUTH: "true"
+      OVPN_CUSTOM_ROUTES: "172.18.0.0 255.255.0.0"
    cap_add:
      - NET_ADMIN
+    sysctls:
+      - net.ipv4.ip_forward=1
    ports:
-      - 7777:1194 # for openvpn
+      - 7777:1194/udp # Changed to UDP for better performance
      - 8080:8080 # for ovpn-admin because of network_mode
    volumes:
      - ./easyrsa_master:/etc/openvpn/easyrsa
      - ./ccd_master:/etc/openvpn/ccd
+    networks:
+      - vpn-internal
+
  ovpn-admin:
    build:
      context: .
@ -28,16 +41,25 @@ services:
    environment:
      OVPN_DEBUG: "true"
      OVPN_VERBOSE: "true"
-      OVPN_NETWORK: "192.168.100.0/24"
+      OVPN_NETWORK: "10.8.0.0/24"
      OVPN_CCD: "true"
      OVPN_CCD_PATH: "/mnt/ccd"
      EASYRSA_PATH: "/mnt/easyrsa"
-      OVPN_SERVER: "127.0.0.1:7777:tcp"
+      OVPN_SERVER: "13.127.115.63:7777:udp" # Changed to UDP
      OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
      OVPN_AUTH: "true"
+      OVPN_CIPHER: "AES-256-GCM"
      OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
      LOG_LEVEL: "debug"
    network_mode: service:openvpn
    volumes:
      - ./easyrsa_master:/mnt/easyrsa
      - ./ccd_master:/mnt/ccd
+
+  nginx:
+    image: nginx:alpine
+    container_name: vpn-nginx
+    networks:
+      vpn-internal:
+        ipv4_address: 172.18.0.10
+    restart: unless-stopped
--- a/setup/configure.sh
+++ b/setup/configure.sh
@ -4,10 +4,9 @@ set -ex
 EASY_RSA_LOC="/etc/openvpn/easyrsa"
 SERVER_CERT="${EASY_RSA_LOC}/pki/issued/server.crt"

-OVPN_SRV_NET=${OVPN_SERVER_NET:-172.16.100.0}
+OVPN_SRV_NET=${OVPN_SERVER_NET:-10.8.0.0}
 OVPN_SRV_MASK=${OVPN_SERVER_MASK:-255.255.255.0}

-
 cd $EASY_RSA_LOC

 if [ -e "$SERVER_CERT" ]; then
@ -34,6 +33,9 @@ easyrsa gen-crl
 iptables -t nat -D POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} ! -d ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -j MASQUERADE || true
 iptables -t nat -A POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} ! -d ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -j MASQUERADE

+# Fixed: Use environment variables instead of hardcoded values
+iptables -t nat -A POSTROUTING -s ${OVPN_SRV_NET}/${OVPN_SRV_MASK} -d 172.18.0.0/16 -j MASQUERADE
+
 mkdir -p /dev/net
 if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
@ -41,6 +43,11 @@ fi

 cp -f /etc/openvpn/setup/openvpn.conf /etc/openvpn/openvpn.conf

+# Add custom routes if specified
+if [ ! -z "${OVPN_CUSTOM_ROUTES}" ]; then
+  echo 'push "route '${OVPN_CUSTOM_ROUTES}'"' >> /etc/openvpn/openvpn.conf
+fi
+
 if [ ${OVPN_PASSWD_AUTH} = "true" ]; then
  mkdir -p /etc/openvpn/scripts/
  cp -f /etc/openvpn/setup/auth.sh /etc/openvpn/scripts/auth.sh
@ -56,4 +63,5 @@ fi

 mkdir -p /etc/openvpn/ccd

-openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}
+# Fixed: Changed to UDP and use environment variables
+openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto udp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}
--- a/setup/openvpn.conf
+++ b/setup/openvpn.conf
@ -8,7 +8,12 @@ dh /etc/openvpn/easyrsa/pki/dh.pem
 crl-verify /etc/openvpn/easyrsa/pki/crl.pem
 tls-auth /etc/openvpn/easyrsa/pki/ta.key
 key-direction 0
-cipher AES-128-CBC
+
+# Modern cipher configuration - UPDATED
+cipher AES-256-GCM
+data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
+data-ciphers-fallback AES-128-CBC
+
 #management 127.0.0.1 8989
 keepalive 10 60
 persist-key
--- a/start.sh
+++ b/start.sh
@ -2,4 +2,4 @@

 # About 'docker compose' and 'docker-compose'
 # We are using Docker Compose in plugin mode with Docker. For more details, see: https://docs.docker.com/compose/install/linux/. If you need to use the standalone Docker Compose, you can modify the command `docker compose` to `docker-compose` accordingly.
-docker compose -p openvpn-master up -d --build
+docker compose -f docker-compose.yaml up -d --build
--- a/templates/client.conf.tpl
+++ b/templates/client.conf.tpl
@ -2,24 +2,36 @@
 remote {{ $server.Host }} {{ $server.Port }} {{ $server.Protocol }}
 {{- end }}

+# -- General Settings -- #
+
 verb 4
 client
 nobind
 dev tun
-cipher AES-128-CBC
+
+# -- Security & Encryption -- #
+
+cipher AES-256-GCM
 key-direction 1
-#redirect-gateway def1
 tls-client
 remote-cert-tls server
+
+# uncomment below line if want to redirect all trafic from vpn 
+# redirect-gateway def1  
+
+# -- DNS Handing -- #
+
 # uncomment below lines for use with linux
+
 #script-security 2
-# if you use resolved
 #up /etc/openvpn/update-resolv-conf
 #down /etc/openvpn/update-resolv-conf
+
 # if you use systemd-resolved first install openvpn-systemd-resolved package
 #up /etc/openvpn/update-systemd-resolved
 #down /etc/openvpn/update-systemd-resolved

+
 {{- if .PasswdAuth }}
 auth-user-pass
 {{- end }}