linux基于docker安装openvpn服务端及客户端

原创
08/20 15:48
阅读数 64

1.初始化docker

本文安装示例服务端IP:192.11.11.10

在本地创建openvpn配置存放目录

mkdir /data/public/openvpn

通过容器初始化配置等信息

docker run -v /data/public/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://openvpn.gongstring.com
docker run -v /data/public/openvpn:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki

启动过程中需要输入域名和证书密码:

例如此处输入:vpn123pwd

下面是安装示例:

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki


Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
.................+++++
.......................................+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/pki/.rnd into RNG
140360007494984:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/openvpn/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpn.gongstring.com

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................+.........................................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating a RSA private key
...............+++++
...............................................................................+++++
writing new private key to '/etc/openvpn/pki/private/openvpn.gongstring.com.key.XXXXcMLjEc'
-----
Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn.gongstring.com'
Certificate is to be certified until Aug  5 07:14:33 2023 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem

2.启动容器

docker run -d --name openvpn-server -v /data/public/openvpn/:/etc/openvpn  -p 1194:1194/udp --cap-add=NET_ADMIN  --restart always kylemanna/openvpn

3.生成客户端证书(可多次生成)

中间会需要添加上面的密码:vpn123pwd

docker run -v /data/public/openvpn/:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full gongstring nopass

其中的gongstring可以换成自己的用户名

4.导出证书给客户端使用

docker run -v /data/public/openvpn/:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient gongstring > /data/public/openvpn/clients/openvpn.gongstring.com.ovpn

执行完成后,在/data/public/openvpn/clients目录下面会出现文件openvpn.gongstring.com.ovpn

5.客户端使用

此处以centos7使用客户端连接为示例。

5.1添加镜像源安装openvpn客户端

vim /etc/yum.repo.d/epel.repo

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
 
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://mirrors.aliyun.com/epel/7/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
 
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://mirrors.aliyun.com/epel/7/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0

安装

yum makecache
yum update -y
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
yum install -y openvpn

5.2启动client

上传openvpn.gongstring.com.ovpn到服务器的/data/public/openvpn

mkdir -p /data/public/openvpn

可以在服务端使用命令将证书上传到客户端机器:

scp ./openvpn.gongstring.com.ovpn root@192.11.11.11:/data/public/openvpn

执行启动命令,注意客户端要能够通过openvpn.gongstring.com访问到服务端,且端口要开放。当然内网的话,最简单方式就是通过添加hosts。

192.11.11.10	openvpn.gongstring.com
/data/public/openvpn

openvpn ./openvpn.gongstring.com.ovpn

如果登陆成功,会出现如下提示:

Thu Aug 20 23:37:43 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Thu Aug 20 23:37:43 2020 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Thu Aug 20 23:37:43 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.10:1194
Thu Aug 20 23:37:43 2020 UDP link local: (not bound)
Thu Aug 20 23:37:43 2020 UDP link remote: [AF_INET]192.168.8.10:1194
Thu Aug 20 23:37:43 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Thu Aug 20 23:37:43 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Thu Aug 20 23:37:43 2020 [openvpn.gongstring.com] Peer Connection Initiated with [AF_INET]192.168.8.10:1194
Thu Aug 20 23:37:44 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.9)
Thu Aug 20 23:37:44 2020 TUN/TAP device tun0 opened
Thu Aug 20 23:37:44 2020 /sbin/ip link set dev tun0 up mtu 1500
Thu Aug 20 23:37:44 2020 /sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Thu Aug 20 23:37:44 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 20 23:37:44 2020 Initialization Sequence Completed
展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
在线直播报名
返回顶部
顶部