当前环境,全新的Centos7.4系统,配置好yum源
1、安装docker
12345 | yum install yum-utils device-mapper-persistent-data lvm2wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.reposed -i \'s download.docker.com mirrors.tuna.tsinghua.edu.cn/docker-ce \' /etc/yum.repos.d/docker-ce.repoyum makecache fastyum install docker |
docker version
2、docker镜像加速
镜像加速器可参考:https://blog.whsir.com/post-2549.html
vi /etc/docker/daemon.json
{ “registry-mirrors”: [“https://xxx.mirror.aliyuncs.com”] }
3、启动docker
1 | systemctl start docker |
4、拉取openvpn镜像
1 | docker pull kylemanna/openvpn:2.4 |
5、创建一个目录
1 | mkdir -p /data/openvpn |
6、生成配置文件(39.104.162.245这个ip是我当前服务器的公网IP)
1 | docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://39.104.162.245 |
Processing PUSH Config: \'block-outside-dns\'
Processing Route Config: \'192.168.254.0/24\'
Processing PUSH Config: \'dhcp-option DNS 8.8.8.8\'
Processing PUSH Config: \'dhcp-option DNS 8.8.4.4\'
Successfully generated config
Cleaning up before Exit ...
7、生成密钥文件
1 | docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki |
输入私钥密码(输入时是看不见的): Enter PEM pass phrase:12345678 再输入一遍 Verifying – Enter PEM pass phrase:12345678 输入一个CA名称(我这里直接回车) Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入刚才设置的私钥密码(输入完成后会再让输入一次) Enter pass phrase for /etc/openvpn/pki/private/ca.key:12345678
8、生成客户端证书(这里的whsir改成你想要的名字)
1 | docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full whsir nopass |
输入刚才设置的密码 Enter pass phrase for /etc/openvpn/pki/private/ca.key:12345678
9、导出客户端配置
12 | mkdir -p /data/openvpn/confdocker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient whsir > /data/openvpn/conf/whsir.ovpn |
10、启动OpenVPN服务
1 | docker run --name openvpn -v /data/openvpn:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn:2.4 |
PS: 停止openvpn docker stop openvpn 启动openvpn docker start openvpn
11、保存防火墙规则
1 | iptables-save > /etc/sysconfig/iptables |
12、设置防火墙
关闭firewalld防火墙,关闭开机自启
12 | systemctl stop firewalld.servicesystemctl disable firewalld.service |
安装iptables防火墙,设置开机自启
12 | yum -y install iptables-services net-toolssystemctl enable iptables.service |
编辑防火墙配置
1 | vi /etc/sysconfig/iptables |
在最后COMMIT前添加以下规则
12345 | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited |
下面是一个完整的示例(这里只是个示例,根据自身情况对防火墙进行调整)
*nat:PREROUTING ACCEPT [0:0]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [3:228]:POSTROUTING ACCEPT [3:228]:DOCKER – [0:0]-A PREROUTING -m addrtype –dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype –dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p udp -m udp –dport 1194 -j MASQUERADE-A DOCKER -i docker0 -j RETURN-A DOCKER ! -i docker0 -p udp -m udp –dport 1194 -j DNAT –to-destination 172.17.0.2:1194COMMIT*filter:INPUT ACCEPT [60:4900]:FORWARD DROP [0:0]:OUTPUT ACCEPT [50:4784]:DOCKER – [0:0]:DOCKER-ISOLATION – [0:0]-A FORWARD -j DOCKER-ISOLATION-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPT-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp –dport 1194 -j ACCEPT-A DOCKER-ISOLATION -j RETURN-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT-A INPUT -j REJECT –reject-with icmp-host-prohibited-A FORWARD -j REJECT –reject-with icmp-host-prohibitedCOMMIT
13、重启防火墙
1 | systemctl restart iptables |
14、将登录的证书下载到本地
12 | yum install lrzsz -ysz /data/openvpn/conf/whsir.ovpn |
openvpn windows客户端配置
openvpn客户端下载:http://down.whsir.com/downloads/openvpn-install-2.4.4-I601.exe
在openvpn的安装目录下,有个config目录,将服务器上的whsir.ovpn,放在该目录下,运行OpenVPN GUI,右键whsir连接connect
转载:https://blog.whsir.com/post-2809.html