跳转至

2. docker安装

0. 防火墙开启udp/1194
# 搭建openvpn要实现的目的
# 本云服务器(139.198.106.219 ,直接全部替换此处即可!大概16处),不想被外网访问到,将对应的防火墙端口关闭,所以想通过openvpn的方式,只有登录openvpn后,才能通过<内网IP+端口>的方式访问到!

    # 1. 防火墙入规则开启udp 1194 
    # 2. 说明:docker运行的openvpn容器占用内存非常少,只有0.4G!!!

# 首先需要搭建openvpn,见下面的步骤!
1、使用openvpn生成配置文件
#1. 登录远程工具,切换到root用户
sudo -i

# 创建目录
mkdir -p /data/openvpn
chown -R ubuntu.ubuntu /data


docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://139.198.106.219

# 执行完命令后可在目录`/data/openvpn`中看到相应的配置文件;
2、初始化密钥文件
ls /data/openvpn

docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki

# 执行过程中需要先设置ca密码(如cpu013090),
# Common Name可不设置直接按回车继续,
# 接着需要输入ca密码更新密钥库以及生成crl文件;
root@vpn:/data/openvpn# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020

Enter New CA Key Passphrase:    #1.这里输入ca密码,如:cpu013090
Re-Enter New CA Key Passphrase: #2.再次输入:cpu013090
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
......................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:    #3.这里可以不设置,直接回车继续

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................+..................+.................................+....................+....................................................+......................................................................+........................................................................................................................+.........................................................................................+....................+..........+......................................................................................................................+.....................................................+................................+.........+..........................................................................................................................................................................................................................+................................................................................................................................................................................................+....................+.............................................................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
.....................................................................................................................+++++
...........................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-73.fGlaJI/tmp.ILKdAj'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-73.fGlaJI/tmp.ecpHKE
Enter pass phrase for /etc/openvpn/pki/private/ca.key:  #4.再次输入密码:cpu013090
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'139.198.106.219'
Certificate is to be certified until Mar 24 05:34:39 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-148.dlPOpi/tmp.CLJlKk
Enter pass phrase for /etc/openvpn/pki/private/ca.key:  #5.再次输入密码:cpu013090

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem


root@vpn:/data/openvpn#
root@vpn:/data/openvpn# ls
ccd  openvpn.conf  ovpn_env.sh  pki         #5. 发现多出来一个pki文件夹!
3、生成客户端证书
ls /data/openvpn

docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full openvpn-client nopass

# 其中`openvpn-client`为自定义名称,
# 生成的过程需要输入ca密码;
root@vpn:/data/openvpn# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full openvpn-client nopass
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
........+++++
....+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.hJEIed/tmp.iaNPKJ'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.hJEIed/tmp.dlLelJ
Enter pass phrase for /etc/openvpn/pki/private/ca.key:  # 这里输入ca密码:cpu013090
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn-client'
Certificate is to be certified until Mar 24 05:35:34 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

root@vpn:/data/openvpn#
4、导出客户端的配置文件openvpn-client-139.198.106.219.ovpn
ls /data/openvpn

docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient openvpn-client > /data/openvpn/openvpn-client-139.198.106.219.ovpn

# 注意`openvpn-client`名称需与第三步生成时命名一致,
# 此时生成的配置文件`openvpn-client-139.198.106.219.ovpn`即可用于客户端连接;
5、启动openvpn容器
ls /data/openvpn

docker run  -v /data/openvpn:/etc/openvpn -d -p 1194:1194/udp --restart=always --name openvpn --cap-add=NET_ADMIN --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.default.forwarding=1 --sysctl net.ipv6.conf.all.forwarding=1  kylemanna/openvpn:2.4 

# 需要注意防火墙规则,其中1194为udp端口,
# 可在其他机器上通过nc命令测试是否可连接

nc测试

# nc命令安装(ubuntu系统貌似默认就有nc命令!)
yum install nc -y

# nc测试
nc -vuz 139.198.106.219 1194
#1. 本机测试
root@vpn:/data/openvpn# nc -vuz 139.198.106.219 1194
Connection to 139.198.106.219 1194 port [udp/openvpn] succeeded!
root@vpn:/data/openvpn#

#2. 别的机器测试
ubuntu@k8s-master:~$ nc -vuz 139.198.106.219 1194
Connection to 139.198.106.219 1194 port [udp/openvpn] succeeded!
6、客户端:安装openvpn客户端openvpn-install-2.4.4-I601.exe
# 下载地址:https://openvpn.net/download-open-vpn/#
# 注意:可能需要翻墙才能下载!
# 点击windows版本即可!67M左右
# 安装好客户端后,导入openvpn客户端配置文件即可!

img.png

7. 安装及使用
# openvpn-connect-3.3.4.2600_signed.msi
# 1. 安装:双击安装,直接下一步即可!
# 2. 使用方法:如下图,导入第4步生成的客户端文件openvpn-client-139.198.106.219.ovpn

img_1.png

# 导入后得到如下图所示信息,能看到你连到的服务器IP,点击连接即可!

img_2.png

8. 测试
# 1. 查看内网IP:10.150.10.28
ifconfig eth0
root@qingyun:~# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.150.10.28  netmask 255.255.255.0  broadcast 10.150.10.255
        inet6 fe80::5054:96ff:fe09:348d  prefixlen 64  scopeid 0x20<link>
        ether 52:54:96:09:34:8d  txqueuelen 1000  (Ethernet)
        RX packets 160874  bytes 192838879 (192.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88690  bytes 8219101 (8.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# 2. windows上使用cmd命令ping测试:ping 10.150.10.28
ping 10.150.10.28
# 内网穿透成功!!!
C:\Users\chupeng>ping 10.150.10.28

正在 Ping 10.150.10.28 具有 32 字节的数据:
来自 10.150.10.28 的回复: 字节=32 时间=55ms TTL=63
来自 10.150.10.28 的回复: 字节=32 时间=75ms TTL=63
来自 10.150.10.28 的回复: 字节=32 时间=52ms TTL=63
来自 10.150.10.28 的回复: 字节=32 时间=74ms TTL=63

10.150.10.28 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 52ms,最长 = 75ms,平均 = 64ms

C:\Users\chupeng>

最后更新: 2022-02-18 07:50:18