当前位置:个人在线分享 > 每日一更-openvpn部署

每日一更-openvpn部署

作者 : admin 本文共9120个字,预计阅读时间需要23分钟 发布时间: 2024-06-16 共1人阅读

每日一更-openvpn部署插图

一.docker部署openvpn

1.安装

拉取镜像

 docker pull kylemanna/openvpn 

创建配置文件

docker run -v /opendata/openvpn:/etc/openvpn –rm kylemanna/openvpn ovpn_genconfig -u udp://113.0*.4*.5*

执行完命令后可在目录/opendata/openvpn中看到相应的配置文件;我这里使用的是upd方式,当然你也可以改成tcp://113.0*.4*.5* 或者改端口tcp://ip[:port] (tcp://113.0*.4*.5* :2345)注意使用外网地址.

[root@node1 ~]# docker run -v /opendata/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://113.*
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...

/opendata/openvpn目录情况,其中openvpn.conf就是配置文件。

[root@node1 openvpn]# pwd
/opendata/openvpn
[root@node1 openvpn]# ls
ccd  openvpn.conf  ovpn_env.sh
[root@node1 openvpn]#

生成密钥文件

docker run -v /opendata/openvpn:/etc/openvpn –rm -it kylemanna/openvpn ovpn_initpki

执行过程中需要先设置ca密码,需要先输入2次创建的密码  。Common Name (eg: your user, host, or server name) [Easy-RSA CA]:输入回车。不设置直接按回车继续默认是server,接着需要再次输入ca密码来更新密钥库以及生成crl文件;

[root@node1 openvpn]# docker run -v /opendata/openvpn:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+...............................................................................................................+....+......................................................................+..............+........................................................................................................................................+..................................................................................................................................................................................................................................................................................................................................................................................................................+.........................................................................................................................................................+.+.........................................+....................................................................................................................................................................................................................+................................................+..........................................................................+.....................................................................................................................................................................................................+................................+.......................+.......................................+................................................................................+......+......................................................................................................................................................................................................................................................................................................................................................+...............+........................+.......................................................................+............................................................................................................................+...............+..................................................................................................................................................................................+................................................................................................................................................+..............+....+.............................................................................................................................................................................................................................................................................................................................................................................................................+..................................................................+...+...................................................................................+...................................................................+......+.....................................................+.............................................................................+..................................................................+..........................................................................................+....................+...................................................................................................................................................................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
....................+++++
.........................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-74.egjAPe/tmp.nehbfI'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-74.egjAPe/tmp.FFldma
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'113.*'
Certificate is to be certified until Sep 17 03:00:39 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-149.jfDMhe/tmp.BgceFn
Enter pass phrase for /etc/openvpn/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem


您在 /var/spool/mail/root 中有新邮件
[root@node1 openvpn]#

查看文件情况,在/opendata/openvpn下多了一个pki目录,pki下多了好多文件,issued目录和private目录下存放客户端,server端的密钥。

[root@node1 openvpn]# ls -l
总用量 8
drwxr-xr-x 2 root root   6 6月  14 10:55 ccd
-rw-r--r-- 1 root root 638 6月  14 10:55 openvpn.conf
-rw-r--r-- 1 root root 802 6月  14 10:55 ovpn_env.sh
drwx------ 8 root root 329 6月  14 11:00 pki
[root@node1 openvpn]# pwd
/opendata/openvpn
[root@node1 openvpn]# cd pki
[root@node1 pki]# ls
ca.crt           crl.pem  index.txt       index.txt.attr.old  issued               private  reqs     safessl-easyrsa.cnf  serial.old
certs_by_serial  dh.pem   index.txt.attr  index.txt.old       openssl-easyrsa.cnf  renewed  revoked  serial               ta.key

生成客户端证书

docker run -v /opendata/openvpn:/etc/openvpn –rm -it kylemanna/openvpn easyrsa build-client-full ly-client nopass
其中ly-client为自定义名称,你也可修改成自己定义的名称,生成的过程需要输入ca密码;

这里我们使用nopass表示不需要登陆密码。如果去掉nopass,会提示输入登录密码。

[root@node1 pki]# docker run -v /opendata/openvpn:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full ly-client nopass
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
....................+++++
...............+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.oIgHgM/tmp.ENOcMP'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.oIgHgM/tmp.EfMhbb
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'ly-client'
Certificate is to be certified until Sep 17 03:11:55 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

导出客户端的配置文件***.ovpn

docker run -v /opendata/openvpn:/etc/openvpn –rm kylemanna/openvpn ovpn_getclient ly-client > /opendata/openvpn/ly-client.ovpn

注意ly-client名称需与上一步生成时命名一致,此时生成的配置文件ly-client.ovpn即可用于客户端连接;

docker run -v /opendata/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient ly-client > /opendata/openvpn/ly-client.ovpn

查看生成的文件

[root@node1 pki]# pwd
/opendata/openvpn/pki
[root@node1 pki]# 
root@node1 pki]# ls -l ./issued/ ./private/
./issued/:
总用量 16
-rw------- 1 root root 4629 6月  14 11:00 113.0.42.53.crt
-rw------- 1 root root 4499 6月  14 11:11 ly-client.crt

./private/:
总用量 12
-rw------- 1 root root 1704 6月  14 11:00 113.0.42.53.key
-rw------- 1 root root 1766 6月  14 10:59 ca.key
-rw------- 1 root root 1704 6月  14 11:11 ly-client.key

[root@node1 openvpn]# pwd
/opendata/openvpn
[root@node1 openvpn]# ls -l
总用量 16
drwxr-xr-x 2 root root    6 6月  14 10:55 ccd
-rw-r--r-- 1 root root 4941 6月  14 11:14 ly-client.ovpn
-rw-r--r-- 1 root root  638 6月  14 10:55 openvpn.conf
-rw-r--r-- 1 root root  802 6月  14 10:55 ovpn_env.sh
drwx------ 8 root root  329 6月  14 11:11 pki

我们后期会把ly-client.ovpn   ly-client.crt     ly-client.key拷贝到客户端。

注意防火墙是否关闭,没关闭需要开放1194为udp端口。到这里openvpn服务端就安装完成了。

打开防火墙的tcp 1194端口

iptables -A INPUT -p tcp –dport 1194 -j ACCEPT

本站无任何商业行为
个人在线分享 » 每日一更-openvpn部署
admin

admin 钻石

分享到:

相关推荐

E-->