Owen Ouyang's Home

Daily Life

0%

使用 docker-compose 安裝 OpenVPN Server

發表於 更新於 Disqus:
文章字數: 15k 所需閱讀時間 ≈ 14 分鐘

使用 docker-compose 安裝 OpenVPN Server

安裝環境

本次安裝在 Microsoft Azure 上租用一台虛擬機並作為 VPN Server,在實體機上使用 VM 建立一台虛擬機作為 VPN Client。硬體規格與環境資訊如下:

ID VPN Server VPN Client
OS Ubuntu 16.04 LTS Server Ubuntu 16.04 LTS Server
vCPU 1 vCPU 1 vCPU
RAM 1 GB 1 GB
Disk 30 GB 30 GB
Private IP eth0: 10.0.1.4 eth0: 172.22.0.4
Public IP owenouyang.ga -

把下面的範本寫入 docker-compose.yml 檔案

1
2
3
4
5
6
7
8
9
10
11
12
13
version: '3'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    hostname: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - /root/data/openvpn:/etc/openvpn

1194 Port 號,要改端口號是在這邊改。要記得 VPS 是否有設定防火牆擋住不給外連哦!

demo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@myvpn ~]# mkdir -p /root/data/openvpn                                                                                                            
[root@myvpn ~]# docker-compose run --rm openvpn ovpn_genconfig -u udp://owenouyang.ga
Pulling openvpn (kylemanna/openvpn:)...
latest: Pulling from kylemanna/openvpn 
188c0c94c7c5: Already exists
e470f824352c: Pull complete
d6ed0c7c142e: Pull complete
74586f3c5cd4: Pull complete
cb26244a2b2a: Pull complete
Digest: sha256:643531abb010a088f1e23a1c99d44f0bd417a3dbb483f809caf4396b5c9829a0
Status: Downloaded newer image for kylemanna/openvpn:latest
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'                                                                                                        Processing PUSH Config: 'comp-lzo no'                                                                                                                    
Successfully generated config                                                                                                                            
Cleaning up before Exit ...

owenouyang.ga 請自行取代成自己的網域,然後記得把這網域設定指向這台 VPS 的 IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
[root@myvpn ~]# docker-compose run --rm openvpn ovpn_initpki                                                                                           
                                                                                                                                                         
init-pki complete; you may now create a CA or requests.                                                                                                  
Your newly created PKI dir is: /etc/openvpn/pki                                                                                                          
                                                                                                                                                         
                                                                                                                                                         
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020                                                                                                           
                                                                                                                                                         
Enter New CA Key Passphrase:                                                                                                                             
Re-Enter New CA Key Passphrase:                                                                                                                          
Generating RSA private key, 2048 bit long modulus (2 primes)                                                                                             
...+++++                                                                                                                                                 
.............................................+++++                                                                                                       
e is 65537 (0x010001)                                                                                                                                    
You are about to be asked to enter information that will be incorporated                                                                                 
into your certificate request.                                                                                                                           
What you are about to enter is what is called a Distinguished Name or a DN.                                                                              
There are quite a few fields but you can leave some blank                                                                                                
For some fields there will be a default value,                                                                                                           
If you enter '.', the field will be left blank.                                                                                                          
-----                                                                                                                                                    
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:myvpn                                                                                  
                                                                                                                                                         
CA creation complete and you may now import and sign cert requests.                                                                                      
Your new CA certificate file for publishing is at:                                                                                                       
/etc/openvpn/pki/ca.crt                                                                                                                                  
                                                                                                                                                         
                                                                                                                                                         
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020                                                                                                           
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time                                           
..+.......................................................................................................................+..............................
................+..........+.....+......................................................................................+............................+...
...........................................................+........................................................................+....................
...............................................................................................................................+.........................
....................+...........................................................+....................+........+..........................................
.............................................+.............................................+.............................................................
...............................................................................................................+.........................................
............................................+...........................+..........................................................+.....................
.........................................+...............................................................................................................
.+.......................................................................................................................................................
...........................................................+.................+............................................................+..............
.................................................................................+.......................................................................
.............+...........................................................................................................................................
..................+...........................................................+.....................................................................+....
...............+.......................+...................................................................................................+.............
............+...................+........................................................................................................................
......................................................................................................................................+..........+.......
.........................................................................................................................................................
...............................................................+.........................................................................................
...................+...........................................................................+.........................................................
.........................................................................................................................................................
............................................................................................................................................+............
.........................................................................................................................................................
.............................+.....+................................................................................................+....................
...................................................................+...............+........+............................................................
..................................+......................................................................................................................
......+...............................................................................................................+..................................
..........+............+.+....................+.................................+..........+...................................................+.........
.........................................................................................................................................................
..+.............+........................................................................................................+.....................+.........
.........................................................................................................................................................
......................................................................+.......................+..........................................................
...............+....................................................+....................................................................................
............................................+............................................................................................................
+...............................+........................................................................................................................
...........................................+...+...........+.............................................................................................
......................................+........+.....................+............................+..+............................+.................+....
....................................................+....................................................................................................
..................+......................................................................................................................................
.........................................................................................................................................................
................+..................++*++*++*++*                                                                                                          
                                                                                                                                                         
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem                                                                                            
                                                                                                                                                         
                                                                                                                                                         
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020                                                                                                           
Generating a RSA private key                                                                                                                             
.................................................................................................+++++                                                   
.................+++++                                                                                                                                   
writing new private key to '/etc/openvpn/pki/easy-rsa-72.oGGNiF/tmp.iIHDPh'                                                                              
-----                                                                                                                                                    
Using configuration from /etc/openvpn/pki/easy-rsa-72.oGGNiF/tmp.EoOebI                                                                                  
Enter pass phrase for /etc/openvpn/pki/private/ca.key:                                                                                                   
Check that the request matches the signature                                                                                                             
Signature ok                                                                                                                                             
The Subject's Distinguished Name is as follows                                                                                                           
commonName            :ASN.1 12:'owenouyang.ga'                                                                                                       
Certificate is to be certified until Jul 31 03:10:24 2023 GMT (825 days)                                                                                 
                                                                                                                                                         
Write out database with 1 new entries                                                                                                                    
Data Base Updated                                                                                                                                        
                                                                                                                                                         
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020                                                                                                           
Using configuration from /etc/openvpn/pki/easy-rsa-147.LPbjaB/tmp.CCKLEa                                                                                 
Enter pass phrase for /etc/openvpn/pki/private/ca.key:                                                                                                   
                                                                                                                                                         
An updated CRL has been created.                                                                                                                         
CRL file: /etc/openvpn/pki/crl.pem

啟動 OpenVPN Server

1
$ docker-compose up -d openvpn

製作用戶端連線描述檔案

1
$ export CLIENTNAME="myvpn"

設定等等輸出的用戶端資訊,建立一組需要密碼的用戶端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ docker-compose run --rm openvpn easyrsa build-client-full "$CLIENTNAME"
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
...............+++++
...............+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.AFgNIn/tmp.OpMLbP'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.AFgNIn/tmp.PielgE
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'myvpn'
Certificate is to be certified until Jul 31 03:25:39 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

特別注意,如果這邊輸入錯誤的驗證密碼,這組就會失效,請用別的名字 CLIENTNAME 再試一次!

1
$ docker-compose run --rm openvpn ovpn_getclient "$CLIENTNAME" > "$CLIENTNAME.ovpn"

把 OpenVPN 連線的檔案抽取出來,這檔案就可以用來連線囉!

由於他這產生的憑證有效期是三年(會看到提示),要簽過就是跑上述流程,而廢止需要參考下方指令。

1
$ docker-compose run --rm openvpn ovpn_revokeclient "$CLIENTNAME"

到這步取出來的 “$CLIENTNAME.ovpn” 就可以 拿來連線了。

OpenVPN Client 測試

安裝 OpenVPN Client

到 Client 端中安裝 OpenVPN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ sudo apt-get install -y openvpn
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  iproute2 libatm1 libelf1 liblzo2-2 libmnl0 libpkcs11-helper1 libxtables12
Suggested packages:
  iproute2-doc easy-rsa resolvconf
The following NEW packages will be installed:
  iproute2 libatm1 libelf1 liblzo2-2 libmnl0 libpkcs11-helper1 libxtables12 openvpn
0 upgraded, 8 newly installed, 0 to remove and 8 not upgraded.
Need to get 1391 kB of archives.
After this operation, 4036 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/main amd64 liblzo2-2 amd64 2.08-1.2 [48.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libelf1 amd64 0.170-0.4ubuntu0.1 [44.8 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic/main amd64 libmnl0 amd64 1.0.4-2 [12.3 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic/main amd64 iproute2 amd64 4.15.0-2ubuntu1 [721 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic/main amd64 libatm1 amd64 1:2.5.1-2build1 [21.9 kB]
Get:6 http://archive.ubuntu.com/ubuntu bionic/main amd64 libxtables12 amd64 1.6.1-2ubuntu2 [27.9 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic/main amd64 libpkcs11-helper1 amd64 1.22-4 [43.5 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 openvpn amd64 2.4.4-2ubuntu1.3 [470 kB]
Fetched 1391 kB in 3s (529 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package liblzo2-2:amd64.
(Reading database ... 16214 files and directories currently installed.)
Preparing to unpack .../0-liblzo2-2_2.08-1.2_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.08-1.2) ...
Selecting previously unselected package libelf1:amd64.
Preparing to unpack .../1-libelf1_0.170-0.4ubuntu0.1_amd64.deb ...
Unpacking libelf1:amd64 (0.170-0.4ubuntu0.1) ...
Selecting previously unselected package libmnl0:amd64.
Preparing to unpack .../2-libmnl0_1.0.4-2_amd64.deb ...
Unpacking libmnl0:amd64 (1.0.4-2) ...
Selecting previously unselected package iproute2.
Preparing to unpack .../3-iproute2_4.15.0-2ubuntu1_amd64.deb ...
Unpacking iproute2 (4.15.0-2ubuntu1) ...
Selecting previously unselected package libatm1:amd64.
Preparing to unpack .../4-libatm1_1%3a2.5.1-2build1_amd64.deb ...
Unpacking libatm1:amd64 (1:2.5.1-2build1) ...
Selecting previously unselected package libxtables12:amd64.
Preparing to unpack .../5-libxtables12_1.6.1-2ubuntu2_amd64.deb ...
Unpacking libxtables12:amd64 (1.6.1-2ubuntu2) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../6-libpkcs11-helper1_1.22-4_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.22-4) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../7-openvpn_2.4.4-2ubuntu1.3_amd64.deb ...
Unpacking openvpn (2.4.4-2ubuntu1.3) ...
Setting up libelf1:amd64 (0.170-0.4ubuntu0.1) ...
Setting up libpkcs11-helper1:amd64 (1.22-4) ...
Setting up libatm1:amd64 (1:2.5.1-2build1) ...
Setting up libxtables12:amd64 (1.6.1-2ubuntu2) ...
Setting up libmnl0:amd64 (1.0.4-2) ...
Setting up liblzo2-2:amd64 (2.08-1.2) ...
Setting up iproute2 (4.15.0-2ubuntu1) ...
Setting up openvpn (2.4.4-2ubuntu1.3) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of cond-restart.
Processing triggers for libc-bin (2.27-3ubuntu1) ...

連線

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ openvpn myvpn.ovpn
Tue Apr 27 04:49:54 2021 OpenVPN 2.4.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  7 2020
Tue Apr 27 04:49:54 2021 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Tue Apr 27 04:49:54 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]20.48.89.78:1194
Tue Apr 27 04:49:54 2021 UDP link local: (not bound)
Tue Apr 27 04:49:54 2021 UDP link remote: [AF_INET]20.48.89.78:1194
Tue Apr 27 04:49:54 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Tue Apr 27 04:49:54 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue Apr 27 04:49:54 2021 [owenouyang.ga] Peer Connection Initiated with [AF_INET]20.48.89.78:1194
Tue Apr 27 04:49:55 2021 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.4.8)
Tue Apr 27 04:49:55 2021 TUN/TAP device tun0 opened
Tue Apr 27 04:49:55 2021 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr 27 04:49:55 2021 /sbin/ip addr add dev tun0 local 192.168.255.6 peer 192.168.255.5
Tue Apr 27 04:49:55 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 27 04:49:55 2021 Initialization Sequence Completed