Docker container with antizapret-vpn for selfhosting.
MIT License
Easy-to-use Docker image based upon original AntiZapret LXD image for self-hosting.
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
git clone https://github.com/xtrime-ru/antizapret-vpn-docker.git antizapret
cd antizapret
docker compose pull
docker compose up -d
./keys/client
and ./configs
will be created..ovpn
configs from ./keys/client
directory and use to setup your clients.docker run --rm ghcr.io/wg-easy/wg-easy wgpw 'YOUR_PASSWORD' | sed "s/'//g" | sed -r 's/\$/\$\$/g' | tee ./wireguard/wireguard.env
docker compose -f docker-compose.wireguard.yml pull
docker compose -f docker-compose.wireguard.yml up -d
http://YOUR_SERVER_IP:51821
and create new clientImportant notice: not all clients support tunnel-split (send only part of traffic via VPN). For example Apple devices will not be able to connect to this server.
Its recomended to use OpenVPN or Wireguard instead.
cp ipsec/ipsec.env.example ipsec/ipsec.env
ipsec/ipsec.env
docker compose down
docker compose -f docker-compose.ipsec.yml up -d
Antizapret-VPN can use external DNS resolvers. To start your own adguard docker container and use it as backend for antizapret:
docker compose down
docker compose -f docker-compose.adguard.yml up -d
Go to http://YOUR_SERVER_IP:3000
and setup adguard.
You can leave all values default. Except port for adguard. Change it from 80 to 3000
Its recommended not to change docker-compose files, because it can break ability to git pull updates.
The correct way - is to create docker-compose.override.yml.
For example you want all transports and adguard, and modify env variables of antizapret-vpn:
services:
antizapret-vpn:
environment:
- DNS=adguardhome
- ADGUARD=1
- OPENVPN_OPTIMIZATIONS=1
- OPENVPN_TLS_CRYPT=1
depends_on:
- adguardhome
adguardhome:
extends:
file: docker-compose.adguard.yml
service: adguardhome
ipsec:
extends:
file: docker-compose.ipsec.yml
service: ipsec
amnezia-wg-easy:
extends:
file: docker-compose.wireguard-amnezia.yml
service: amnezia-wg-easy
docker compose
will merge docker-compose.yml
and your custom docker-compose.override.yml
.
Start all containers from docker-compose.override.yml
:
docker compose down && docker compose pull && docker compose up -d
git pull
docker compose pull
docker compose down && docker compose up -d
Any domains or IPs can be added or excluded from routing with config files from ./config
directory.
These lists are added/excluded to/from automatically generated lists of domains and IP's.
Reboot container and wait few minutes for applying changes.
Its recommended to use *-regex-custom.txt
files.
You can debug your regular expressions online: https://regex101.com
Here is few regex example:
^2ip\.ru$
\.microsoft\.com$
Will match any subdomain from microsoft.com. Both regular works same way.microsoft\.[^.]*$
microsoft\.(ru|com|com\.de)
Client and server keys are stored in ./keys
.
They are persistent between container and host restarts.
To regenerating the keys use the following commands:
docker compose down
rm -rf keys/{client,server}/keys/*.{crt,key}
docker compose up -d
You can define these variables in docker-compose.yml file for your needs:
SKIP_UPDATE_FROM_ZAPRET=true
- do not download and use list of all blocked domains from internet.*-custom.txt
files.UPDATE_TIMER=1d
- blocked domains update intervalOPENVPN_HOST=example.com
— will be used as a server address in .ovpn profiles upon keys generation (default: your server's IP)OPENVPN_PORT=1194
— will be used as a server port in .ovpn profiles upon keys generation. (default: 1194)%EXTERNAL_PORT%
with port number,ports:
- %EXTERNAL_PORT%:1194/tcp
- %EXTERNAL_PORT%:1194/udp
OPENVPN_MTU=1420
- Set tun-mtu option with fixed value. (default: auto)OPENVPN_OPTIMIZATIONS=1
- Enable tcp-nodelay, fast-io options and invrease sndbuf and rcvbuf. (default: 0)OPENVPN_CBC_CIPHERS=1
- Enable support of legacy clients. WIll disable DCO
OPENVPN_SCRAMBLE=1
- Enable additional obfuscation XOR Tunneblick patch
OPENVPN_TLS_CRYPT=1
- Enable additional TLS encryption in OpenVPN. May help with connection obfuscation.DNS=1.1.1.1
— DNS server to resolve domains (default: host DNS server)DNS_RU=77.88.8.8
— Russian DNS server; used to fix issues with geo zones mismatch for domains like apple.com
(default: 77.88.8.8)LOG_DNS=1
- Log all DNS requests and responses (default: 0)ADGUARD=1
- Resolve .ru, .рф and .su via DNS. By default, this zones resolved through DNS_RU. (default: 0)FORCE_FORWARD_DNS=true
- Redirects UDP traffic on port 53 to AntiZapret DNS (default: false)FORCE_FORWARD_DNS_PORTS="53 5353"
- Parameter can be used to change port 53 for FORCE_FORWARD_DNS to one or more, separated by a space (default: 53)OpenVPN Data Channel Offload (DCO) provides performance improvements by moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading. tl;dr it increases speed and reduces CPU usage on a server.
Kernel extensions can be installed only on a host machine, not in a container.
sudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
sudo apt install -y efivar
sudo apt install -y openvpn-dco-dkms
sudo apt update
sudo apt upgrade
echo "#### Please reboot your system after upgrade ###" && sleep 100
deb=openvpn-dco-dkms_0.0+git20231103-1_all.deb
sudo apt install -y efivar dkms linux-headers-$(uname -r)
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openvpn-dco-dkms/$deb
sudo dpkg -i $deb
If your clients do not have GCM ciphers support you can use legacy CBC ciphers. DCO is incompatible with legacy ciphers and will be disabled. This is also increase CPU load.
CBC_CIPHERS=1
in docker-compose.yml.keys/client/
folder.iperf3 server is included in antizapret-vpn container.
iperf3 -c 10.224.0.1 -i1 -t10 -P10
iperf3 -c 10.224.0.1 -i1 -t10 -P10 -R