江苏省吴江市双板桥路3号兴源网络

0512-63028342

ly@wjxy.net.cn

通过docker搭建openvpn

当前环境,全新的Centos7.4系统,配置好yum源

1、安装docker

12345yum install yum-utils device-mapper-persistent-data lvm2wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.reposed -i \'s download.docker.com mirrors.tuna.tsinghua.edu.cn/docker-ce \' /etc/yum.repos.d/docker-ce.repoyum makecache fastyum install docker

docker version

2、docker镜像加速

镜像加速器可参考:https://blog.whsir.com/post-2549.html

vi /etc/docker/daemon.json

{ “registry-mirrors”: [“https://xxx.mirror.aliyuncs.com”] }

3、启动docker

1systemctl start docker

4、拉取openvpn镜像

1docker pull kylemanna/openvpn:2.4

5、创建一个目录

1mkdir -p /data/openvpn

6、生成配置文件(39.104.162.245这个ip是我当前服务器的公网IP)

1docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://39.104.162.245

Processing PUSH Config: \'block-outside-dns\' Processing Route Config: \'192.168.254.0/24\' Processing PUSH Config: \'dhcp-option DNS 8.8.8.8\' Processing PUSH Config: \'dhcp-option DNS 8.8.4.4\' Successfully generated config Cleaning up before Exit ...

7、生成密钥文件

1docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki

输入私钥密码(输入时是看不见的): Enter PEM pass phrase:12345678 再输入一遍 Verifying – Enter PEM pass phrase:12345678 输入一个CA名称(我这里直接回车) Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入刚才设置的私钥密码(输入完成后会再让输入一次) Enter pass phrase for /etc/openvpn/pki/private/ca.key:12345678

8、生成客户端证书(这里的whsir改成你想要的名字)

1docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full whsir nopass

输入刚才设置的密码 Enter pass phrase for /etc/openvpn/pki/private/ca.key:12345678

9、导出客户端配置

12mkdir -p /data/openvpn/confdocker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient whsir > /data/openvpn/conf/whsir.ovpn

10、启动OpenVPN服务

1docker run --name openvpn -v /data/openvpn:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn:2.4

PS: 停止openvpn docker stop openvpn 启动openvpn docker start openvpn

11、保存防火墙规则

1iptables-save > /etc/sysconfig/iptables

12、设置防火墙

关闭firewalld防火墙,关闭开机自启

12systemctl stop firewalld.servicesystemctl disable firewalld.service

安装iptables防火墙,设置开机自启

12yum -y install iptables-services net-toolssystemctl enable iptables.service

编辑防火墙配置

1vi /etc/sysconfig/iptables

在最后COMMIT前添加以下规则

12345-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited

下面是一个完整的示例(这里只是个示例,根据自身情况对防火墙进行调整)

*nat:PREROUTING ACCEPT [0:0]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [3:228]:POSTROUTING ACCEPT [3:228]:DOCKER – [0:0]-A PREROUTING -m addrtype –dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype –dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p udp -m udp –dport 1194 -j MASQUERADE-A DOCKER -i docker0 -j RETURN-A DOCKER ! -i docker0 -p udp -m udp –dport 1194 -j DNAT –to-destination 172.17.0.2:1194COMMIT*filter:INPUT ACCEPT [60:4900]:FORWARD DROP [0:0]:OUTPUT ACCEPT [50:4784]:DOCKER – [0:0]:DOCKER-ISOLATION – [0:0]-A FORWARD -j DOCKER-ISOLATION-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPT-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp –dport 1194 -j ACCEPT-A DOCKER-ISOLATION -j RETURN-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT-A INPUT -j REJECT –reject-with icmp-host-prohibited-A FORWARD -j REJECT –reject-with icmp-host-prohibitedCOMMIT

13、重启防火墙

1systemctl restart iptables

14、将登录的证书下载到本地

12yum install lrzsz -ysz /data/openvpn/conf/whsir.ovpn

openvpn windows客户端配置

openvpn客户端下载:http://down.whsir.com/downloads/openvpn-install-2.4.4-I601.exe

在openvpn的安装目录下,有个config目录,将服务器上的whsir.ovpn,放在该目录下,运行OpenVPN GUI,右键whsir连接connect

转载:https://blog.whsir.com/post-2809.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注