• Tags
A10
ACME
AD
AES
AI
Aliyun
Ansible
APP
Application Delivery Controller
Arceus
Argo CD
ASCII
Authentication
Authorization
AWS
BASH
Bayonet
Benchmark
BGP
BIRD
Board Game
Browser
Byte
Cache
CDN
Channel
Chart
Checklist
Chrome
Chrome OS
Chrony
CI
Cilium
Cisco
Cloud-Native
Cloudflare
Cluster
Command Line
Completion
Config
Container
CPU
CURL
Data
Database
Debug
Dehydrated
Design
DevSecOps
Diagrams
Dmg
DNS
DNS-01
Docker
EFF
ElasticSearch
ELK
Emoji
EMQX
Encode
Encrypt
ESXi
Extension
Firewall
Fortigate
Fortinet
FortiOS
Game
GeoIP
GIN
Git
GitBook
Github
Gitlab
GitOps
Gluetun
Go
Go-Mysql-Elasticsearch
Golang
Google
GPG
GraphQL
HA
HAProxy
Hash
HomeLab
Htop
HTTP
Infra
Infrastructure
Input Method
Interview
Introduction
IPhone
Iptables
Iso
Issue
ITerm2
Jenkins
Jsoniter
Juniper
JWT
Kibana
Kubernetes
LDAP
Leetcode
Lightweight
Linkerd
Links
Linux
Llamafile
LLM
Log
Lua
Lullaby
LVM
Machinelearning
MacOS
Markdown
Mattermost
Mermaid
MinIO
Module
MQTT
MSS
MTU
Music
MyDumper
MySQL
NAS
Netcat
Network
Nftables
Nginx
OAuth
OIDC
Ollama
OpenResty
Parquet
Percona
Pinyin
Pip
Plugin
Pokemon
PostgreSQL
PowerDNS
PowerShell
Pprof
Principle
Prometheus
Protobuf
Proxy
Push
Python
QRCode
R
RAID
RDP
Redis
Regex
Ringtone
Route
Rust
S3
ScreenShot
Security
Selenium
Sentry
Service Mesh
SFTP
SHELL
Slides
Snow
Software
SonarQube
SQL
SSH
SSL
String
Switch
Sync
Synology
System
Tcpdump
Telegram
Terminal
Terraform
Test
Testing
Time
Timeout
TLS
Tor
Trace
Traefik
Travel
Tunnel
Typora
Ubuntu
URL
UserAgent
V2Ray
Vagrant
Video
Vim
Virtualization
Visualization
VNC
VPN
VSCode
WAF
Web
WebAssembly
Webp
Windows
WSL
YAML
Youtube
Zabbix
Zero Trust
Zim
ZSH
台語

Gluetun: Route Docker Containers Through a VPN, Disconnect on No Network

Gluetun: Route Docker Containers Through a VPN, Disconnect on No Network Gluetun OpenVPN services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: # Fill in based on your VPN provider's OpenVPN config - VPN_SERVICE_PROVIDER=protonvpn - VPN_TYPE=openvpn - OPENVPN_USER= # OpenVPN username - OPENVPN_PASSWORD= # OpenVPN password - SERVER_COUNTRIES=United Kingdom # Set server country, separated by commas networks: # (Optional) fixed IP for the Gluetun container network: ipv4_address: 172.27.0.5 networks: # (Optional) fixed IP for the Gluetun container network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 WireGuard services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: - VPN_SERVICE_PROVIDER=protonvpn # Fill in based on your VPN provider's WireGuard config - VPN_TYPE=wireguard - WIREGUARD_PRESHARED_KEY= # Preshared key - WIREGUARD_PRIVATE_KEY= # Private key - WIREGUARD_ADDRESSES= # Set IPv4 and IPv6 addresses, separated by commas - SERVER_COUNTRIES=United Kingdom # Set server country, separated by commas networks: # (Optional) fixed IP for the Gluetun container network: ipv4_address: 172.27.0.5 networks: # (Optional) fixed IP for the Gluetun container network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 Let containers use Gluetun’s VPN connection If the service and Gluetun are in the same docker-compose, add network mode: network_mode: “service:gluetun” If the service is in a different docker-compose from Gluetun, add network_mode: “container:gluetun” Open Gluetun’s docker-compose file and re-add the service ports you need (e.g. 8080) Start Gluetun first, then start services that should use Gluetun’s VPN connection The container’s public IP should match the VPN server you selected

Friday, August 1, 2025 Read

Deploying OpenVPN with AD domain authentication

Deploying OpenVPN with AD domain authentication OpenVPN + PAM + SSSD + Active Directory https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/ https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8 https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5 # Install OpenVPN yum install openvpn -y yum -y install openssl openssl-devel -y yum -y install lzo lzo-devel -y yum install -y libgcrypt libgpg-error libgcrypt-devel # Install OpenVPN auth plugin yum install openvpn-auth-ldap -y # Install easy-rsa # Since openvpn 2.3 removed easy-rsa from the package, install it separately. yum install easy-rsa cp -rf /usr/share/easy-rsa/2.0 /etc/opevpn/ # Generate OpenVPN keys and certificates # Edit `/opt/openvpn/etc/easy-rsa/2.0/vars` parameters export KEY_COUNTRY="CN" # Country export KEY_PROVINCE="ZJ" # Province export KEY_CITY="NingBo" # City export KEY_ORG="TEST-VPN" # Organization exportKEY_EMAIL="81367070@qq.com" # Email export KEY_OU="baidu" # Unit source vars ./clean-all ./build-ca ./build-dh ./build-key-server server ./build-key client1 # Edit the OpenVPN server config: `/etc/openvpn/server.conf` port 1194 proto udp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 // client IP pool push "route 192.168.1.0 255.255.255.0" // push route to clients push "redirect-gateway" // change client gateway to route VPN traffic ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" client-cert-not-required username-as-common-name log /var/log/openvpn.log # Edit openvpn-ldap-auth config: `/etc/openvpn/auth/ldap.conf` # /etc/openvpn/auth/ldap.conf <LDAP> # LDAP server URL # Change to the AD server IP URL ldap://172.16.76.238:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com # Change to the domain admin DN; you can query it with ldapsearch # Replace the IP in -h with the server IP, -D with the admin DN, -b with the base DN, and * for all # ldapsearch -LLL -x -h 172.16.76.238 -D "administrator@xx.com" -W -b "dc=xx,dc=com" "*" BindDN "cn=administrator,cn=Users,dc=xx,dc=com" # Bind Password # Password SecretPassword # Domain admin password Password passwd # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File # TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory # TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required # TLSCertFile /usr/local/etc/ssl/client-cert.pem # TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN # Base DN for auth search BaseDN "dc=boqii-inc,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" # sAMAccountName=%u uses the sAMAccountName value as the username, # and "memberof=CN=myvpn,DC=xx,DC=com" points to the VPN user group to authenticate, # so any user can use VPN once they are in this group. SearchFilter "(&(sAMAccountName=%u)(memberof=CN=myvpn,DC=boqii-inc,DC=com))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) # PFTable ips_vpn_users <Group> # BaseDN "ou=Groups,dc=example,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" # MemberAttribute uniqueMember # Add group members to a PF table (disabled) # PFTable ips_vpn_eng BaseDN "ou=vpn,dc=boqii-inc,dc=com" SearchFilter "(cn=openvpn)" MemberAttribute "member" </Group> </Authorization> Copy the ca.crt certificate under /etc/openvpn/key for client use.

Thursday, September 17, 2020 Read