OpenVPN in Docker
在接触wireguard之前,网络返校的方案是自己在有公网IP的机器上搭建OpenVPN。而使用docker比裸机配置OpenVPN方便多了。
OpenVPN Image¶
ARM¶
我們使用 kylemanna/docker-openvpn 來實作,因為 dockerhub 上只有 x86 image,如果是 arm 平台則需要自己 build(x86 可跳過)
clone repo 後,直接 build
$ git clone https://github.com/kylemanna/docker-openvpn
$ cd docker-openvpn
$ docker build -t kylemanna/openvpn -f Dockerfile.aarch64 .
aarch64/alpine:3.5 的錯誤,修改 Dockerfile 中的 base image 為
或更新的 alpine 版本即可
相关的中文教程¶
http://blog.gdb.wiki/2020/03/19/Docker-OpenVPN%E9%95%9C%E5%83%8F%E9%85%8D%E7%BD%AE/#kylemanna-openvpn%E8%BF%99%E4%B8%AA%E9%95%9C%E5%83%8F%E5%B0%86%E5%A4%A7%E9%83%A8%E5%88%86%E7%9A%84%E4%B8%80%E9%94%AE%E5%8C%96%E8%87%AA%E5%8A%A8%E8%84%9A%E6%9C%AC%E8%BF%9B%E8%A1%8C%E6%95%B4%E5%90%88%EF%BC%8C%E9%80%9A%E8%BF%87docker-run%E4%B8%80%E6%AD%A5%E4%B8%80%E6%AD%A5%E8%BF%9B%E8%A1%8C%E9%85%8D%E7%BD%AE
https://koding.work/10-minutes-build-open-vpn-server/
https://taichunmin.idv.tw/blog/2018-05-23-docker-openvpn.html
Quick Start¶
以README为主
# shaojiemike @ node5 in ~ [23:53:42] C:125
$ export OVPN_DATA="ovpn-data-tsj"
# shaojiemike @ node5 in ~ [23:54:10]
$ docker volume create --name $OVPN_DATA
ovpn-data-example
# shaojiemike @ node5 in ~ [23:54:11]
$ docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://node5.xydustc.me
Unable to find image 'kylemanna/openvpn:latest' locally
latest: Pulling from kylemanna/openvpn
188c0c94c7c5: Pull complete
e470f824352c: Pull complete
d6ed0c7c142e: Pull complete
74586f3c5cd4: Pull complete
cb26244a2b2a: Pull complete
Digest: sha256:643531abb010a088f1e23a1c99d44f0bd417a3dbb483f809caf4396b5c9829a0
Status: Downloaded newer image for kylemanna/openvpn:latest
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
# shaojiemike @ node5 in ~ [23:55:47]
$ docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
...................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:tsj-node5
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................+.......................+..........................................................+........................................................................................................+........................................+...................................................................................................................................+.....................................................................................................................+......................................................................................................................................................................................................................................+......++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.......................................+++++
.........................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-73.EeNnaB/tmp.jhHaaF'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-73.EeNnaB/tmp.LGnDjB
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'node5.xydustc.me'
Certificate is to be certified until Jan 1 15:58:37 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-148.CDCEmf/tmp.iJCIGL
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
An updated CRL has been created.
1194貌似有人用了
# shaojiemike @ node5 in ~ [0:02:06]
$ sudo lsof -i UDP:1194
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 1834 nobody 6u IPv4 56802 0t0 UDP node5:openvpn
/usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
sudo vim /etc/openvpn/server/server.conf
改成7194等端口
# shaojiemike @ node5 in ~ [0:02:10]
$ sudo service openvpn status
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2022-04-19 18:42:24 CST; 5 months 11 days ago
Main PID: 1715 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 154181)
Memory: 0B
CGroup: /system.slice/openvpn.service
Apr 19 18:42:24 node5 systemd[1]: Starting OpenVPN service...
Apr 19 18:42:24 node5 systemd[1]: Finished OpenVPN service.
# shaojiemike @ node5 in ~ [0:15:49] C:125
$ sudo service openvpn stop
# shaojiemike @ node5 in ~ [0:16:30]
$ sudo kill -9 1834
在1195启动服务失败,还是1194
# shaojiemike @ node5 in ~ [0:16:46]
$ docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
cb0f7e78f389f112c3c3b230d20d2b50818f6cf59eea2edfaa076c7e8fad7128
# shaojiemike @ node5 in ~ [0:06:01]
$ docker container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6c716b27b3f1 kylemanna/openvpn "ovpn_run" 49 seconds ago Up 48 seconds 1194/udp, 0.0.0.0:1195->1195/udp, :::1195->1195/udp charming_zhukovsky
# 上面是错误的
# shaojiemike @ node5 in ~ [0:16:50]
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cb0f7e78f389 kylemanna/openvpn "ovpn_run" About a minute ago Up About a minute 0.0.0.0:1194->1194/udp, :::1194->1194/udp pedantic_euler
# shaojiemike @ node5 in ~ [0:07:27] C:2
$ docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full tsj-node5-client nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
...............+++++
...............................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.olaINa/tmp.MfohAO'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.olaINa/tmp.EMkEHF
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
139775495048520:error:28078065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'tsj-node5-client'
Certificate is to be certified until Jan 1 16:08:23 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
# shaojiemike @ node5 in ~ [0:08:24]
$ docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient tsj-node5-client > tsj-node5-client.ovpn
# shaojiemike @ node5 in ~ [0:09:20]
$ ls tsj-node5-client.ovpn
tsj-node5-client.ovpn
还是不行,奇怪
解决办法¶
ping不通的原因是,脚本默认是8号端口,改成0号教育网端口就行了。
D:\PowerShell> ping -r 9 -w 10000 222.195.72.114
Pinging 222.195.72.114 with 32 bytes of data:
Reply from 222.195.72.114: bytes=32 time=60ms TTL=60
Route: 172.17.0.3 -> (局域网)
202.38.73.217 -> (node5)
202.38.96.189 -> (北京教育网)
210.45.112.254 -> (合肥教育网)
222.195.72.114 -> (snode2)
222.195.72.114 ->
202.38.96.188 ->(北京教育网)
202.38.73.254 ->(合肥教育网)
172.17.0.1
OpenVPN 3 linux client¶
apt install¶
First ensure that your apt supports the https transport:
Install the OpenVPN repository key used by the OpenVPN 3 Linux packages # curl -x http://$proxy_addr:$proxy_http_port -fsSL https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/openvpn-repo-pkg-keyring.gpg
# curl -x http://$proxy_addr:$proxy_http_port -fsSL https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list >/etc/apt/sources.list.d/openvpn3.list
# apt update
Distribution| Release| Release name ($DISTRO)| Architecture| DCO support |---| ---| ---| ---| ---| Ubuntu| 20.04| focal |amd64, arm64 |yes Ubuntu| 21.10| impish| amd64, arm64| yes Ubuntu| 22.04| jammy| amd64, arm64|yes
And finally the openvpn3 package can be installed
apt需要代理看 apt-get install proxyopenvpn3使用¶
要提前保留ipv6, 没有设置“流量走当前机器”ssh会断联
Once you’ve moved the file to your Linux system, you can import it.
openvpn3 config-import --config ${client.ovpn}
Configuration imported. Configuration path: /net/openvpn/v3/configuration/1f475d5cx8d2fx4ef5x8feex25f2871f2642
openvpn3 session-start --config ${client.ovpn}
Configuration imported. Configuration path: /net/openvpn/v3/configuration/1f475d5cx8d2fx4ef5x8feex25f2871f2642
openvpn3 sessions-list
-----------------------------------------------------------------------------
Path: /net/openvpn/v3/sessions/f83c75e4sd56cs4b27s85bcsc5c6e3ce074e
Created: Thu Oct 6 20:37:29 2022 PID: 1034954
Owner: shaojiemike Device: tun1
Config name: node5-client.ovpn
Session name: snode6.swangeese.fun
Status: Connection, Client connected
-----------------------------------------------------------------------------
$ openvpn3 session-manage
session-manage: ** ERROR ** One of --pause, --resume, --restart, --disconnect, --cleanup or --log-level must be present
$ openvpn3 session-manage --pause -c node5-client.ovpn
Initiated session pause: /net/openvpn/v3/sessions/f83c75e4sd56cs4b27s85bcsc5c6e3ce074e
需要进一步的研究学习¶
netplan 的 rule from to table
ip route
ip rule指令学习
iptables
遇到的问题¶
暂无
开题缘由、总结、反思、吐槽~~¶
参考文献¶
基于kylemanna/docker-openvpn
https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/