Minimal and secure Alpine Linux based Docker image with OpenVPN client.
Tini is used by the container as an init process. It protects the system
from process table being filled up, which can prevent the system from spawning any
new processes, by reaping zombie processes.
In addtion to reaping zombies Tini also performs signal forwarding.
Container uses iptables to configure packet filtering rules in the Linux kernel
and therefore CAP_NET_ADMIN capability is required to run the container.
Outbound IPv4 network traffic is only allowed using the protocol, address(es) and port(s) defined in the OpenVPN configuration file. All outbound traffic that is routed through the VPN tunnel is allowed.
All IPv6 traffic is blocked.
Host user and group can be mapped to a container by defining HOST_UID and
HOST_GID environment variables. If the variables are left undefined the
container will execute its command with a random UID/GID combination.
To use this container on a host that has SELinux enabled use the provided
docker-openvpn.te policy module or create your own if it doesn't work. To
compile and install the policy module run the following commands.
$ checkmodule -M -m docker-openvpn.te -o /tmp/docker-openvpn.mod
$ semodule_package -m /tmp/docker-openvpn.mod -o /tmp/docker-openvpn.pp
# semodule -i /tmp/docker-openvpn.ppContainer is compatible with docker logs command although logging is disabled
by default if the container is started with docker-compose command. To find
out more about logging see the command reference.
To print out a trace of commands executed by container-entrypoint script,
set DEBUG environment variable to any non-null value.
This project is licensed under the MIT License.