diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e8bf5f6b2..38cd7c850 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -113,32 +113,44 @@ jobs:
     name: Create and Upload Docker Images
     # Technically we only need build-linux to succeed, but if any platforms fail we'll
     # want to investigate and restart the build
-    needs: [build-linux, build-darwin, build-windows, build-freebsd]
+    needs: [build-linux, build-darwin, build-windows]
     runs-on: ubuntu-latest
+    env:
+      HAS_DOCKER_CREDS: ${{ vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+    # XXX It's not possible to write a conditional here, so instead we do it on every step
+    #if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
     steps:
       # Be sure to checkout the code before downloading artifacts, or they will
       # be overwritten
       - name: Checkout code
+        if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
         uses: actions/checkout@v3
 
       - name: Download artifacts
+        if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
         uses: actions/download-artifact@v2
         with:
           name: linux-latest
           path: ./release/linux/
 
       - name: Login to Docker Hub
+        if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up Docker Buildx
+        if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
         uses: docker/setup-buildx-action@v3
 
       - name: Build and push images
+        if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
+        env:
+          DOCKER_IMAGE_REPO: ${{ vars.DOCKER_IMAGE_REPO || 'nebulaoss/nebula' }}
+          DOCKER_IMAGE_TAG: ${{ vars.DOCKER_IMAGE_TAG || 'latest' }}
         run: |
-          make DOCKER_BUILD_ARGS="--push" all-docker
+          make BUILD_NUMBER="${GITHUB_REF#refs/tags/v}" DOCKER_IMAGE_REPO="${DOCKER_IMAGE_REPO}" DOCKER_BUILD_ARGS="--push" all-docker
 
   release:
     name: Create and Upload Release
diff --git a/Makefile b/Makefile
index 088bc427d..06225b904 100644
--- a/Makefile
+++ b/Makefile
@@ -30,6 +30,13 @@ ifndef BUILD_NUMBER
 	endif
 endif
 
+ifndef DOCKER_IMAGE_REPO
+	DOCKER_IMAGE_REPO = nebula
+endif
+ifndef DOCKER_IMAGE_TAG
+	DOCKER_IMAGE_TAG = lates
+endif
+
 LDFLAGS = -X main.Build=$(BUILD_NUMBER)
 
 ALL_LINUX = linux-amd64 \
@@ -162,7 +169,7 @@ build/nebula-%.zip: build/%/nebula.exe build/%/nebula-cert.exe
 	cd build/$* && zip ../nebula-$*.zip nebula.exe nebula-cert.exe
 
 docker/%: build/%/nebula build/%/nebula-cert
-	docker buildx build . $(DOCKER_BUILD_ARGS) -f docker/Dockerfile --platform "$(subst -,/,$*)" --build-arg SOURCEDIR="build/$*" --tag "nebula:latest" --tag "nebula:$(BUILD_NUMBER)"
+	docker buildx build . $(DOCKER_BUILD_ARGS) -f docker/Dockerfile --platform "$(subst -,/,$*)" --build-arg SOURCEDIR="build/$*" --tag "${DOCKER_IMAGE_REPO}:${DOCKER_IMAGE_TAG}" --tag "${DOCKER_IMAGE_REPO}:$(BUILD_NUMBER)"
 
 vet:
 	go vet $(VET_FLAGS) -v ./...
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 29168e30b..c20050bf3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -15,4 +15,7 @@ RUN chmod +x /main.sh
 
 VOLUME ["/config"]
 
-CMD ["/main.sh"]
+# Run nebula using a wrapper script to setup the tun device
+ENTRYPOINT ["/main.sh"]
+# Allow users to override the args passed to nebula
+CMD ["-config", "/config/config.yml"]
diff --git a/docker/main.sh b/docker/main.sh
index ddf90dbd4..cc1266d7d 100755
--- a/docker/main.sh
+++ b/docker/main.sh
@@ -8,4 +8,4 @@ if [ ! -c /dev/net/tun ]; then
     chmod 600 /dev/net/tun
 fi
 
-nebula -config /config/config.yml
+nebula "$@"