diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000..1bb3799
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,63 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  schedule:
+    - cron: '35 21 * * *'
+  push:
+    branches: [ master ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ master ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
index 05f4d72..36a1f99 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,9 +18,6 @@ RUN true \
     && true
 
 ADD sockd.conf /etc/
+COPY entrypoint.sh /
 
-ENTRYPOINT [ \
-    "openvpn", \
-    "--up", "/usr/local/bin/sockd.sh", \
-    "--script-security", "2", \
-    "--config", "/ovpn.conf"]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README.md b/README.md
index ecb23c0..4ed7664 100644
--- a/README.md
+++ b/README.md
@@ -6,9 +6,22 @@ routing).
 
 ## Usage
 
-Preferably, using `start` in this repository:
-```bash
-start client_config.ovpn
+Preferably, use docker-compose
+```yaml
+version: '3.3'
+services:
+    openvpn-client-socks:
+        build: .
+        cap_add:
+          - NET_ADMIN
+        devices:
+            - /dev/net/tun
+        ports:
+            - '1081:1080'
+        env_file:
+          - .env
+        volumes:
+            - ./vpn.ovpn:/vpn/ovpn.conf
 ```
 
 Alternatively, using `docker run` directly:
@@ -16,8 +29,10 @@ Alternatively, using `docker run` directly:
 ```bash
 docker run -t -i --device=/dev/net/tun --cap-add=NET_ADMIN \
     --publish 127.0.0.1:1080:1080 \
-    --volume client_config.ovpn:/ovpn.conf:ro \
-    mook/openvpn-client-socks
+    --volume client_config.ovpn:/vpn/ovpn.conf:ro \
+    -e USER=ahh \
+    -e PASSWORD=ahh \
+    ghcr.io/ekkog/docker-openvpn-client-socks:master
 ```
 
 ### OpenVPN Configuration Constraints
@@ -25,3 +40,4 @@ docker run -t -i --device=/dev/net/tun --cap-add=NET_ADMIN \
 - The configuration file must have embedded certificates; references to other
   files are not allowed.
 - The configuration file must use `dev tun0`.
+
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..bfd6f75
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.3'
+services:
+    openvpn-client-socks:
+        image: ghcr.io/cielpy/docker-openvpn-client-socks:master
+        restart: always
+        cap_add:
+          - NET_ADMIN
+        devices:
+            - /dev/net/tun
+        ports:
+            - '1081:1080'
+        env_file:
+          - .env
+        volumes:
+            - ./vpn.ovpn:/vpn/ovpn.conf
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..8975eb9
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+echo $OPENVPN_USER > /tmp.txt
+echo $OPENVPN_PASSWORD >> /tmp.txt
+chmod 600 /tmp.txt
+openvpn \
+--config /vpn/ovpn.conf \
+--auth-user-pass /tmp.txt \
+--up /usr/local/bin/sockd.sh \
+--connect-retry 2 2 \
+--connect-retry-max 2 \
+--script-security 2 
diff --git a/sockd.sh b/sockd.sh
index 59237f9..0499370 100644
--- a/sockd.sh
+++ b/sockd.sh
@@ -1,5 +1,11 @@
 #!/bin/sh
 set -e
+# Ensure external connections via docker network find their way back
+docker_ip=$(ip addr show eth0 | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}')
+docker_gw=$(ip route | awk '/default/ {print $3}')
+ip rule add from "$docker_ip" table 10
+ip route add table 10 default via "$docker_gw" table 10
+
 /etc/openvpn/up.sh "$@"
 pidof sockd | xargs --no-run-if-empty kill -TERM
 exec /usr/sbin/sockd -D
diff --git a/start b/start
deleted file mode 100755
index 12bd711..0000000
--- a/start
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-exec docker run \
-    --rm \
-    --tty \
-    --interactive \
-    --device=/dev/net/tun \
-    --cap-add=NET_ADMIN \
-    --publish 127.0.0.1:1081:1080 \
-    --volume "$(realpath "$1"):/ovpn.conf:ro" \
-    mook/openvpn-client-socks:${TAG:-latest}