這是本文件的舊版!

安裝 DockOVPN 的 OpenVPN Docker 方案

安裝設定

  • 因應維護管理設定 OpenVPN Server 的方便性, 預計將以下目錄或設定檔掛載出來
    • /opt/Dockovpn → ./Dockovpn
    • /opt/Dockovpn_data → ./Dockovpn_data
    • /etc/openvpn/server.conf → ./Dockovpn/config/server.conf
  • VPN Server : vpn.ichiayi.com
  • docker-compose.yml 
    version: '3'
services:
    dockovpn:
        image: alekslitvinenk/openvpn:v1.13.0
        cap_add:
            - NET_ADMIN
        ports:
            - 80:8080/tcp
            - 1194:1194/udp
            - 5555:5555/tcp
        environment:
            - HOST_ADDR=vpn.ichiayi.com
        container_name: dockovpn
        #volumes:
        #    - ./Dockovpn:/opt/Dockovpn
        #    - ./Dockovpn_data:/opt/Dockovpn_data
        #    - ./Dockovpn/config/server.conf:/etc/openvpn/server.conf
        restart: always

    第一次執行時, volumes 部分必須要註解起來, 否則會出錯

  • 第一次啟動 

    docker compose up -d

  • 啟動後將 Dockovpn 與 Dockovpn_data 複製出來

    docker cp dockovpn:/opt/Dockovpn .
docker cp dockovpn:/opt/Dockovpn_data .

  • 將 Dockovpn 內的 genclient.sh 與 functions.sh 用 github 最新版本取代

    wget https://github.com/dockovpn/dockovpn/raw/master/scripts/genclient.sh -O ./Dockovpn/genclient.sh
wget https://github.com/dockovpn/dockovpn/raw/master/scripts/functions.sh -O ./Dockovpn/functions.sh

  • 依照實際需要修改 server.conf 

    vi ./Dockovpn/config/server.conf

    port 1194
proto udp
dev tun

cipher AES-256-GCM
auth SHA512

keepalive 10 120

persist-key
persist-tun

crl-verify /etc/openvpn/crl.pem

ca /etc/openvpn/ca.crt
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/ta.key 0
key /etc/openvpn/MyReq.key
cert /etc/openvpn/MyReq.crt

ifconfig-pool-persist ipp.txt
status openvpn-status.log
verb 4
management 0.0.0.0 5555

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
#push "dhcp-option DNS 1.1.1.1"
#push "dhcp-option DNS 8.8.8.8"
push "route 192.168.11.0 255.255.255.0"
push "route 172.16.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
push "route 172.16.2.0 255.255.255.0"
push "route 172.16.12.0 255.255.255.0"

#duplicate-cn
#ncp-ciphers AES-256-GCM:AES-256-CBC
#tls-server
#tls-version-min 1.2
  • 將 vloumes 掛上, 重啟 dockovpn 

    vi ./docker-compose.yml

    version: '3'
services:
    dockovpn:
        image: alekslitvinenk/openvpn:v1.13.0
        cap_add:
            - NET_ADMIN
        ports:
            - 80:8080/tcp
            - 1194:1194/udp
            - 5555:5555/tcp
        environment:
            - HOST_ADDR=vpn.ichiayi.com
        container_name: dockovpn
        volumes:
            - ./Dockovpn:/opt/Dockovpn
            - ./Dockovpn_data:/opt/Dockovpn_data
            - ./Dockovpn/config/server.conf:/etc/openvpn/server.conf
        restart: always
    docker compose up -d
如果不想要 client 將 openvpn server 當 default gateway

vi Dockovpn/config/server.conf

將 redirect-gateway 註解掉

:
#push "redirect-gateway def1 bypass-dhcp"
:

新增與刪除 VPN Client 憑證

新增 VPN Client 憑證

  • Exp. 新增 test1 

    docker exec dockovpn ./genclient.sh n test1

  • 可以在 ./Dockovpn_data/clients 目錄看到建立 test1

    ls -lt ./Dockovpn_data/clients

刪除 VPN Client 憑證

  • Exp. 刪除 test1 

    docker exec dockovpn ./rmclient.sh test1
rm -rf ./Dockovpn_data/clients/test1

  • 可以在 ./Dockovpn_data/pki/index.txt 看到被廢止憑證註記 R

    cat ./Dockovpn_data/pki/index.txt

查看目前線上的 VPN Client

  • cat ./Dockovpn/openvpn-status.log

參考網址

,
  • tech/dockovpn.1698596984.txt.gz
  • 上一次變更: 2023/10/30 00:29
  • jonathan