每日一更-openvpn部署
一.docker部署openvpn
1.安装
拉取镜像
docker pull kylemanna/openvpn
创建配置文件
docker run -v /opendata/openvpn:/etc/openvpn –rm kylemanna/openvpn ovpn_genconfig -u udp://113.0*.4*.5*
执行完命令后可在目录/opendata/openvpn中看到相应的配置文件;我这里使用的是upd方式,当然你也可以改成tcp://113.0*.4*.5* 或者改端口tcp://ip[:port] (tcp://113.0*.4*.5* :2345)注意使用外网地址.
[root@node1 ~]# docker run -v /opendata/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://113.*
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
/opendata/openvpn目录情况,其中openvpn.conf就是配置文件。
[root@node1 openvpn]# pwd
/opendata/openvpn
[root@node1 openvpn]# ls
ccd openvpn.conf ovpn_env.sh
[root@node1 openvpn]#
生成密钥文件
docker run -v /opendata/openvpn:/etc/openvpn –rm -it kylemanna/openvpn ovpn_initpki
执行过程中需要先设置ca密码,需要先输入2次创建的密码 。Common Name (eg: your user, host, or server name) [Easy-RSA CA]:输入回车。不设置直接按回车继续默认是server,接着需要再次输入ca密码来更新密钥库以及生成crl文件;
[root@node1 openvpn]# docker run -v /opendata/openvpn:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+...............................................................................................................+....+......................................................................+..............+........................................................................................................................................+..................................................................................................................................................................................................................................................................................................................................................................................................................+.........................................................................................................................................................+.+.........................................+....................................................................................................................................................................................................................+................................................+..........................................................................+.....................................................................................................................................................................................................+................................+.......................+.......................................+................................................................................+......+......................................................................................................................................................................................................................................................................................................................................................+...............+........................+.......................................................................+............................................................................................................................+...............+..................................................................................................................................................................................+................................................................................................................................................+..............+....+.............................................................................................................................................................................................................................................................................................................................................................................................................+..................................................................+...+...................................................................................+...................................................................+......+.....................................................+.............................................................................+..................................................................+..........................................................................................+....................+...................................................................................................................................................................................................++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
....................+++++
.........................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-74.egjAPe/tmp.nehbfI'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-74.egjAPe/tmp.FFldma
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'113.*'
Certificate is to be certified until Sep 17 03:00:39 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-149.jfDMhe/tmp.BgceFn
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
您在 /var/spool/mail/root 中有新邮件
[root@node1 openvpn]#
查看文件情况,在/opendata/openvpn下多了一个pki目录,pki下多了好多文件,issued目录和private目录下存放客户端,server端的密钥。
[root@node1 openvpn]# ls -l
总用量 8
drwxr-xr-x 2 root root 6 6月 14 10:55 ccd
-rw-r--r-- 1 root root 638 6月 14 10:55 openvpn.conf
-rw-r--r-- 1 root root 802 6月 14 10:55 ovpn_env.sh
drwx------ 8 root root 329 6月 14 11:00 pki
[root@node1 openvpn]# pwd
/opendata/openvpn
[root@node1 openvpn]# cd pki
[root@node1 pki]# ls
ca.crt crl.pem index.txt index.txt.attr.old issued private reqs safessl-easyrsa.cnf serial.old
certs_by_serial dh.pem index.txt.attr index.txt.old openssl-easyrsa.cnf renewed revoked serial ta.key
生成客户端证书
docker run -v /opendata/openvpn:/etc/openvpn –rm -it kylemanna/openvpn easyrsa build-client-full ly-client nopass
其中ly-client为自定义名称,你也可修改成自己定义的名称,生成的过程需要输入ca密码;
这里我们使用nopass表示不需要登陆密码。如果去掉nopass,会提示输入登录密码。
[root@node1 pki]# docker run -v /opendata/openvpn:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full ly-client nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
....................+++++
...............+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.oIgHgM/tmp.ENOcMP'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.oIgHgM/tmp.EfMhbb
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'ly-client'
Certificate is to be certified until Sep 17 03:11:55 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
导出客户端的配置文件***.ovpn
docker run -v /opendata/openvpn:/etc/openvpn –rm kylemanna/openvpn ovpn_getclient ly-client > /opendata/openvpn/ly-client.ovpn
注意ly-client名称需与上一步生成时命名一致,此时生成的配置文件ly-client.ovpn即可用于客户端连接;
docker run -v /opendata/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient ly-client > /opendata/openvpn/ly-client.ovpn
查看生成的文件
[root@node1 pki]# pwd
/opendata/openvpn/pki
[root@node1 pki]#
root@node1 pki]# ls -l ./issued/ ./private/
./issued/:
总用量 16
-rw------- 1 root root 4629 6月 14 11:00 113.0.42.53.crt
-rw------- 1 root root 4499 6月 14 11:11 ly-client.crt
./private/:
总用量 12
-rw------- 1 root root 1704 6月 14 11:00 113.0.42.53.key
-rw------- 1 root root 1766 6月 14 10:59 ca.key
-rw------- 1 root root 1704 6月 14 11:11 ly-client.key
[root@node1 openvpn]# pwd
/opendata/openvpn
[root@node1 openvpn]# ls -l
总用量 16
drwxr-xr-x 2 root root 6 6月 14 10:55 ccd
-rw-r--r-- 1 root root 4941 6月 14 11:14 ly-client.ovpn
-rw-r--r-- 1 root root 638 6月 14 10:55 openvpn.conf
-rw-r--r-- 1 root root 802 6月 14 10:55 ovpn_env.sh
drwx------ 8 root root 329 6月 14 11:11 pki
我们后期会把ly-client.ovpn ly-client.crt ly-client.key拷贝到客户端。
注意防火墙是否关闭,没关闭需要开放1194为udp端口。到这里openvpn服务端就安装完成了。
打开防火墙的tcp 1194端口
iptables -A INPUT -p tcp –dport 1194 -j ACCEPT