# docker-compose.yml for OpenVPN
version: '3.8'

services:
  openvpn:
    image: kylemanna/openvpn:latest
    container_name: openvpn-server
    cap_add:
      - NET_ADMIN
    ports:
      - "1194:1194/udp"
    volumes:
      - ./openvpn-data:/etc/openvpn
    restart: unless-stopped
    command: ovpn_run

---

# Quick setup script (setup-openvpn.sh)
#!/bin/bash

# Replace with your server's public IP or domain
SERVER_URL="udp://YOUR_SERVER_IP:1194"

echo "🔧 Setting up OpenVPN server..."

# Initialize the configuration
docker-compose run --rm openvpn ovpn_genconfig -u $SERVER_URL

# Generate the certificate authority
docker-compose run --rm openvpn ovpn_initpki

# Start the server
docker-compose up -d

echo "✅ OpenVPN server started!"
echo "📝 To create a client certificate:"
echo "   docker-compose run --rm openvpn easyrsa build-client-full CLIENTNAME nopass"
echo "   docker-compose run --rm openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn"

---

# Alternative: Tailscale (even simpler)
version: '3.8'

services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale-subnet-router
    hostname: docker-router
    environment:
      - TS_AUTHKEY=tskey-auth-your-auth-key-here
      - TS_ROUTES=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
      - TS_STATE_DIR=/var/lib/tailscale
    volumes:
      - ./tailscale-state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped

---

# Or use a ready-made VPN solution
version: '3.8'

services:
  pritunl:
    image: jippi/pritunl:latest
    container_name: pritunl-vpn
    privileged: true
    sysctls:
      - net.ipv6.conf.default.forwarding=1
      - net.ipv6.conf.all.forwarding=1
    ports:
      - "80:80"
      - "443:443"
      - "1194:1194/udp"
    volumes:
      - pritunl_data:/var/lib/pritunl
      - pritunl_mongodb:/var/lib/mongodb
    restart: unless-stopped

volumes:
  pritunl_data:
  pritunl_mongodb:

---

# Simple SOCKS5 Proxy (lightest option)
version: '3.8'

services:
  dante:
    image: serjs/go-socks5-proxy
    container_name: socks5-proxy
    ports:
      - "1080:1080"
    environment:
      - PROXY_USER=username
      - PROXY_PASSWORD=password
    restart: unless-stopped

---

# SSH Tunnel (if you just need simple forwarding)
version: '3.8'

services:
  ssh-tunnel:
    image: alpine:latest
    container_name: ssh-tunnel-server
    ports:
      - "2222:22"
    volumes:
      - ./ssh-config:/etc/ssh
    command: |
      sh -c "
        apk add --no-cache openssh &&
        ssh-keygen -A &&
        adduser -D -s /bin/sh tunneluser &&
        echo 'tunneluser:password' | chpasswd &&
        echo 'GatewayPorts yes' >> /etc/ssh/sshd_config &&
        echo 'AllowTcpForwarding yes' >> /etc/ssh/sshd_config &&
        /usr/sbin/sshd -D
      "
    restart: unless-stopped