Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

  • A+
所属分类:Docker  Linux  虚拟化  随手小记
摘要

OpenVPN提供了一种方法来创建TLS加密(SSL的演进)的虚拟专用网络(VPN)。它可以防止网络流量被窃取和中间人(MITM)攻击。专用网络可以用来安全地连接设备,例如,它可以把在不安全的WiFi环境下的笔记本电脑或移动电话连接到远程服务器,然后走Internet流量。它也可用于互联网设备之间的安全连接。
本教程将介绍如何在CentOS 6上使用Docker来设置和运行OpenVPN容器。

一、安装docker

1、在CentOS6上安装docker除去编译之外还可以通过yum安装,不过是用EPEL源来安装

[root@li760-160 ~]# yum clean all
[root@li760-160 ~]# yum makecache
[root@li760-160 ~]# yum install -y epel-release

2、安装docker 和rzsz命令方便等下传输ovpn配置文件

[root@li760-160 ~]# yum install -y docker-io lszrz

3、启动docker和设置docker开机启动

[root@li760-160 ~]# service docker start
Starting cgconfig service:                                 [确定]
Starting docker:                                           [确定]
[root@li760-160 ~]# chkconfig docker on
[root@li760-160 ~]# chkconfig --list docker 
docker          0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭

二、安装openvpn

1、设置环境变量

[root@li760-160 ~]# OVPN_DATA="ovpn-data"

2、使用busybox作为一个最小的Docker镜像,创建一个空Docker volume容器

[root@li760-160 ~]# docker run --name $OVPN_DATA -v /etc/openvpn busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from busybox
d1592a710ac3: Pull complete 
17583c7dd0da: Pull complete 
busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.

Digest: sha256:87fcdf79b696560b61905297f3be7759e01130a4befdfe2cc9ece9234bbbab6f
Status: Downloaded newer image for busybox:latest

3、初始化ovpn_data容器,它将包含配置文件和证书,并用你的FQDN替代li760-160.members.linode.com。

li760-160.members.linode.com的值必须是完全合格的域名,你需要用它来与服务器通信,这里假设你已经配置了DNS。另外,也可以使用IP地址,但不推荐。

[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://li760-160.members.linode.com:1194
Unable to find image 'kylemanna/openvpn:latest' locally
latest: Pulling from kylemanna/openvpn
f4fddc471ec2: Pull complete 
436e44808d7e: Pull complete 
53dc01341c1a: Pull complete 
19ef56561d59: Pull complete 
4244388d7507: Pull complete 
2766f436f026: Pull complete 
6c2bf215f932: Pull complete 
58e4204b748a: Pull complete 
c6117666d7ea: Pull complete 
27500bc73b15: Pull complete 
a2142c0e2d01: Pull complete 
47bc69d9a3ac: Pull complete 
f083c7fd707b: Pull complete 
Digest: sha256:70757f7391115db3ac544c08253d595b09d9655941694b2a4fe4c64cbf492b7f
Status: Downloaded newer image for kylemanna/openvpn:latest
Successfully generated config

4、生成EasyRSA PKI 证书授权中心时,可能会要求你输入CA私有密钥的密码。

[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki

Generating a 2048 bit RSA private key
....................+++
.............................................................................................................+++
writing new private key to '/etc/openvpn/pki/private/ca.key.XXXXPKEfGd'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....+..........................................................................+................................................................................+..........+...................................................................................................+.....+.........................+.....................+..............................................................................................................................................................................................................+............+............................................................................+.........................+.....................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem

Generating a 2048 bit RSA private key
..........................................+++
........................................................................................................................+++
writing new private key to '/etc/openvpn/pki/private/li760-160.members.linode.com.key.XXXXLiKPjM'
-----
Using configuration from /usr/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'li760-160.members.linode.com'
Certificate is to be certified until Nov  3 06:55:16 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

5、创建一个Upstart初始化文件来自动运行OpenVPN服务进程

[root@li760-160 ~]# cat > /etc/init/docker-openvpn.conf << EOF
description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script
EOF

6、使用Upstart初始化机制来启动进程

[root@li760-160 ~]# start docker-openvpn
docker-openvpn start/running, process 27961

7、通过看STATUS列确认容器开启,容器没有立即崩溃

[root@li760-160 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                    NAMES
ea5551261636        kylemanna/openvpn   "ovpn_run"          9 seconds ago       Up 8 seconds        0.0.0.0:1194->1194/udp   sad_colden          
[root@li760-160 ~]# 

8、生成客户端证书和配置文件

[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full li760-160.members.linode.com.ovpn nopass

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

9、导出配置文件

[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient li760-160.members.linode.com.1.ovpn > li760-160.members.linode.com.1.ovpn

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

10、将配置文件导出到本地电脑

[root@li760-160 ~]# sz li760-160.members.linode.com.1.ovpn

三、测试可用性

[root@li760-160 ~]# ss -unlp |grep :1194
UNCONN     0      0                        :::1194                    :::*      users:(("docker",28025,5))
[root@li760-160 ~]# 

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务

四、一键脚本

wget -4qO- onekey.sh/docker-openvpn|bash
#!/bin/bash
#########################################################################
# File Name: docker-openvpn.sh
# Author: LookBack
# Email: admin#dwhd.org
# Version:
# Created Time: 2015年11月06日 星期五 17时12分35秒
#########################################################################

if [ $(id -u) != "0" ]; then { echo "Please use the root account to run this script"; exit $?;} ;fi

yum clean all
yum makecache
#yum repolist 2>&1|grep '^\*epel' >/dev/null 2>&1
#[ "$?" = "0" ] && yum install -y docker-io lszrz || { yum install -y epel-release; yum install -y docker-io lszrz; }

if ! yum repolist 2>&1|grep -E '^(\*)?epel' >/dev/null 2>&1; then
        yum remove -y epel-release
        yum install -y epel-release
fi
 
 
if ! awk '{a=substr($3,0,1);exit (a==6)?0:1}' /etc/redhat-release; then
        yum update
        cat >/etc/yum.repos.d/docker.repo << EOF
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/7
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF
        yum install -y docker-engine lszrz
else
        yum install -y docker-io lszrz
fi

service docker start
chkconfig docker on
#chkconfig --list docker

OVPN_DATA="ovpn-data"
docker run --name $OVPN_DATA -v /etc/openvpn busybox

read -p "Pls input your domain: " FQDNDomain
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://${FQDNDomain}:1194

docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki
cat > /etc/init/docker-openvpn.conf << EOF
description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script
EOF

start docker-openvpn

if docker ps|grep 1194 >/dev/null 2>&1; then echo "OpenVPN installd and running."

docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full ${FQDNDomain}.ovpn nopass
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient ${FQDNDomain}.ovpn > ${FQDNDomain}.ovpn
sz ${FQDNDomain}.ovpn && /bin/rm -rf ${FQDNDomain}.ovpn
lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: