Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Create a VPN using for LDAP auth

Required Variables

  • BIND_PASSWORD -- your Foxpass binder password
  • CA_PEM -- CA cert (can also be mounted to /etc/openvpn/ca.pem)
  • DOMAIN -- your subdomain. e.g. "nytimes"
  • DH_PEM -- DH cert (can also be mounted to /etc/openvpn/dh.pem)
  • MGMTPASS -- openvpn management password (can also be mounted to /etc/openvpn/mgmtpass)
  • SERVER_KEY -- your private key (can also be mounted to /etc/openvpn/server.key)
  • SERVER_PEM -- your public cert (can also be mounted to /etc/openvpn/server.pem)

Optional Variables

  • BINDER_NAME -- Foxpass binder name (defaults to "openvpn")
  • BLOCK_PORTS -- Block outbound ports. e.g. BLOCK_PORTS="4646 5050"
  • CIPHER -- defaults to AES-256-CBC
  • DNS_1 -- primary DNS when PUSH_DNS is true (defaults to
  • DNS_2 -- secondary DNS when PUSH_DNS is true (defaults to
  • GROUP_FILTER -- restrict VPN access to an LDAP group
  • PROTO -- udp/tcp for VPN (defaults to "tcp")
  • PUSH_DNS -- should be we push DNS servers to clients? (defaults to true)
  • ROUTE_ALL_TRAFFIC -- should we route all traffic? (defaults to true)
  • ROUTE_SUBNET -- if not routing all traffic, what should we route (this must be set if ROUTE_ALL_TRAFFIC is not true)
  • ROUTE_SUBNET_2 -- an additional subnet to route through the tunnel
  • TLD -- top-level domain (defaults to "com")
  • VPN_NET -- the VPN subnet (defaults to, this should not overlap with ROUTE_SUBNET)


These examples assume that all files described above that can be host-mounted are host-mounted or added with a derivative Dockerfile.

Route all traffic.

docker run -d \
   -e BIND_PASSWORD="foobar" \
   -e DOMAIN="mydomain" \
   -p 1194:1194 \
   --cap-add NET_ADMIN \
   --device /dev/net/tun \

Route only the subnet through the VPN. Restrict to the "engineer" group.

docker run -d \
   -e BIND_PASSWORD="foobar" \
   -e DOMAIN="mydomain" \
   -e GROUP_FILTER="engineer" \
   -e PUSH_DNS="false" \
   -e ROUTE_ALL_TRAFFIC="false" \
   -e ROUTE_SUBNET="" \
   -p 1194:1194 \
   --cap-add NET_ADMIN \
   --device /dev/net/tun \
You can’t perform that action at this time.