通过docker搭建openvpn-工具盒子

当前环境，全新的Centos7.4系统，配置好yum源

1、安装docker
yum install yum-utils device-mapper-persistent-data lvm2 wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo yum makecache fast yum install docker

|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 | yum install yum-utils device-mapper-persistent-data lvm2 wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo yum makecache fast yum install docker |

docker version

2、docker镜像加速

镜像加速器可参考：https://blog.whsir.com/post-2549.html

vi /etc/docker/daemon.json

{
"registry-mirrors": ["https://xxx.mirror.aliyuncs.com"]
}

3、启动docker
systemctl start docker

|---|------------------------| | 1 | systemctl start docker |

4、拉取openvpn镜像
docker pull kylemanna/openvpn:2.4

|---|-----------------------------------| | 1 | docker pull kylemanna/openvpn:2.4 |

5、创建一个目录
mkdir -p /data/openvpn

|---|------------------------| | 1 | mkdir -p /data/openvpn |

6、生成配置文件（39.104.162.245这个ip是我当前服务器的公网IP）
docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://39.104.162.245

|---|------------------------------------------------------------------------------------------------------------| | 1 | docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://39.104.162.245 |

Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Successfully generated config
Cleaning up before Exit ...

7、生成密钥文件
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki

|---|--------------------------------------------------------------------------------------| | 1 | docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki |

输入私钥密码（输入时是看不见的）：
Enter PEM pass phrase:12345678
再输入一遍
Verifying - Enter PEM pass phrase:12345678
输入一个CA名称（我这里直接回车）
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
输入刚才设置的私钥密码（输入完成后会再让输入一次）
Enter pass phrase for /etc/openvpn/pki/private/ca.key:12345678

8、生成客户端证书（这里的whsir改成你想要的名字）
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full whsir nopass

|---|----------------------------------------------------------------------------------------------------------------| | 1 | docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full whsir nopass |

输入刚才设置的密码
Enter pass phrase for /etc/openvpn/pki/private/ca.key:12345678

9、导出客户端配置
mkdir -p /data/openvpn/conf docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient whsir > /data/openvpn/conf/whsir.ovpn

|-----|-------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 | mkdir -p /data/openvpn/conf docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient whsir > /data/openvpn/conf/whsir.ovpn |

10、启动OpenVPN服务
docker run --name openvpn -v /data/openvpn:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn:2.4

|---|-----------------------------------------------------------------------------------------------------------------------| | 1 | docker run --name openvpn -v /data/openvpn:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn:2.4 |

PS：
停止openvpn
docker stop openvpn
启动openvpn
docker start openvpn

11、保存防火墙规则
iptables-save > /etc/sysconfig/iptables

|---|------------------------------------------| | 1 | iptables-save > /etc/sysconfig/iptables |

12、设置防火墙

关闭firewalld防火墙，关闭开机自启
systemctl stop firewalld.service systemctl disable firewalld.service

|-----|----------------------------------------------------------------------| | 1 2 | systemctl stop firewalld.service systemctl disable firewalld.service |

安装iptables防火墙，设置开机自启
yum -y install iptables-services net-tools systemctl enable iptables.service

|-----|------------------------------------------------------------------------------| | 1 2 | yum -y install iptables-services net-tools systemctl enable iptables.service |

编辑防火墙配置
vi /etc/sysconfig/iptables

|---|----------------------------| | 1 | vi /etc/sysconfig/iptables |

在最后COMMIT前添加以下规则
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited

|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited |

下面是一个完整的示例（这里只是个示例，根据自身情况对防火墙进行调整）
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [3:228] :POSTROUTING ACCEPT [3:228] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p udp -m udp --dport 1194 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p udp -m udp --dport 1194 -j DNAT --to-destination 172.17.0.2:1194 COMMIT *filter :INPUT ACCEPT [60:4900] :FORWARD DROP [0:0] :OUTPUT ACCEPT [50:4784] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 1194 -j ACCEPT -A DOCKER-ISOLATION -j RETURN -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

|----------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [3:228] :POSTROUTING ACCEPT [3:228] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p udp -m udp --dport 1194 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p udp -m udp --dport 1194 -j DNAT --to-destination 172.17.0.2:1194 COMMIT *filter :INPUT ACCEPT [60:4900] :FORWARD DROP [0:0] :OUTPUT ACCEPT [50:4784] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 1194 -j ACCEPT -A DOCKER-ISOLATION -j RETURN -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT |

13、重启防火墙
systemctl restart iptables

|---|----------------------------| | 1 | systemctl restart iptables |

14、将登录的证书下载到本地
yum install lrzsz -y sz /data/openvpn/conf/whsir.ovpn

|-----|-------------------------------------------------------| | 1 2 | yum install lrzsz -y sz /data/openvpn/conf/whsir.ovpn |

openvpn windows客户端配置

openvpn客户端下载：https://down.whsir.com/downloads/openvpn-install-2.4.4-I601.exe

在openvpn的安装目录下，有个config目录，将服务器上的whsir.ovpn，放在该目录下，运行OpenVPN GUI，右键whsir连接connect

最后验证，打开百度输入ip

附录：

为了方便使用，写两个删除和创建脚本

openvpn删除用户脚本
#!/bin/bash read -p "Delete username: " DNAME docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa revoke $DNAME docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa gen-crl docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/reqs/"$DNAME".req docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/private/"$DNAME".key docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/issued/"$DNAME".crt docker restart openvpn

|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 | #!/bin/bash read -p "Delete username: " DNAME docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa revoke $DNAME docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa gen-crl docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/reqs/"$DNAME".req docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/private/"$DNAME".key docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/issued/"$DNAME".crt docker restart openvpn |

openvpn创建用户脚本
#!/bin/bash read -p "please your username: " NAME docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full $NAME nopass docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient $NAME > /data/openvpn/conf/"$NAME".ovpn docker restart openvpn

|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 | #!/bin/bash read -p "please your username: " NAME docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full $NAME nopass docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient $NAME > /data/openvpn/conf/"$NAME".ovpn docker restart openvpn |

51工具盒子

通过docker搭建openvpn

厉飞雨

相关推荐

最新文章

猜你喜欢

快捷分类