docker搭建openvpn

发表于 2021-12-16 更新于 2022-09-16 分类于 openvpn 阅读次数：本文字数： 4.2k 阅读时长 ≈ 4 分钟

搭建

https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04

配置OpenVPN
配置数据卷，生成配置文件。预计网段人数不多，使用192.168.0.0/24网段，但需要注意的是在配置固定IP时，掩码必须为/30，因此固定IP需要注意正确配置。#配置数据卷

创建挂载目录

初始化配置

mkdir -p /home/openvpn
# -d 取消默认配置 -c 打开client-to-client模式 -u 指定当前域名或IP
docker run \
--name openvpn --privileged=true --rm \
-v /home/openvpn:/etc/openvpn \
kylemanna/openvpn:latest \
ovpn_genconfig \
-d -c -C "AES-256-CBC" \
-u tcp://<公网IP or IP> -s 192.168.100.0/24

服务端证书生成

生成密钥文件

# 自定义证书过期时间
docker run -v /home/openvpn:/etc/openvpn --rm -e EASYRSA_CA_EXPIRE="82500" -e EASYRSA_CERT_EXPIRE="36500" -it kylemanna/openvpn:latest ovpn_initpki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020

Enter New CA Key Passphrase: daAFr1NsK2FVbVNH #输入密码
Re-Enter New CA Key Passphrase: daAFr1NsK2FVbVNH #输入密码
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
...........................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
.+++++
.....................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-74.aOAkiA/tmp.GLjDGo'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-74.aOAkiA/tmp.hIefNH
Enter pass phrase for /etc/openvpn/pki/private/ca.key: daAFr1NsK2FVbVNH #输入密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'atp-vpn-server.xiaoyuanhao.com'
Certificate is to be certified until Mar 20 03:03:22 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-149.cMHHOo/tmp.jiMMmM
Enter pass phrase for /etc/openvpn/pki/private/ca.key: daAFr1NsK2FVbVNH #输入密码

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem

客户端证书生成

docker run -v /home/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:latest easyrsa build-client-full <your-name> nopass
#nopass即为无密码验证登录
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
..........................................................................+++++
.....+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.bmJcJL/tmp.clGKDf'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.bmJcJL/tmp.HaKLcG
Enter pass phrase for /etc/openvpn/pki/private/ca.key: daAFr1NsK2FVbVNH #输入密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'quhui'
Certificate is to be certified until Mar 20 03:36:16 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

导出客户端配置

1	docker run -v /home/openvpn:/etc/openvpn --rm kylemanna/openvpn:latest ovpn_getclient <your-name> > /home/openvpn/conf/<your-name>-DB.ovpn

启动OpenVPN服务

1
2

docker run --name openvpn -v /home/openvpn:/etc/openvpn -d -p 1194:1194/tcp --privileged=true --net=host --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.default.forwarding=1 --sysctl net.ipv6.conf.all.forwarding=1 kylemanna/openvpn:latest