CentOS 6系统上借助docker快速搭建openvpn服务
一、安装docker
1、在CentOS6上安装docker除去编译之外还可以通过yum安装,不过是用EPEL源来安装
[root@li760-160 ~]# yum clean all
[root@li760-160 ~]# yum makecache
[root@li760-160 ~]# yum install -y epel-release
2、安装docker 和rzsz命令方便等下传输ovpn配置文件
[root@li760-160 ~]# yum install -y docker-io lszrz
3、启动docker和设置docker开机启动
[root@li760-160 ~]# service docker start
Starting cgconfig service: [确定]
Starting docker: [确定]
[root@li760-160 ~]# chkconfig docker on
[root@li760-160 ~]# chkconfig --list docker
docker 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
二、安装openvpn
1、设置环境变量
[root@li760-160 ~]# OVPN_DATA="ovpn-data"
2、使用busybox作为一个最小的Docker镜像,创建一个空Docker volume容器
[root@li760-160 ~]# docker run --name $OVPN_DATA -v /etc/openvpn busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from busybox
d1592a710ac3: Pull complete
17583c7dd0da: Pull complete
busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:87fcdf79b696560b61905297f3be7759e01130a4befdfe2cc9ece9234bbbab6f
Status: Downloaded newer image for busybox:latest
3、初始化ovpn_data容器,它将包含配置文件和证书,并用你的FQDN替代li760-160.members.linode.com。
li760-160.members.linode.com的值必须是完全合格的域名,你需要用它来与服务器通信,这里假设你已经配置了DNS。另外,也可以使用IP地址,但不推荐。
[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://li760-160.members.linode.com:1194
Unable to find image 'kylemanna/openvpn:latest' locally
latest: Pulling from kylemanna/openvpn
f4fddc471ec2: Pull complete
436e44808d7e: Pull complete
53dc01341c1a: Pull complete
19ef56561d59: Pull complete
4244388d7507: Pull complete
2766f436f026: Pull complete
6c2bf215f932: Pull complete
58e4204b748a: Pull complete
c6117666d7ea: Pull complete
27500bc73b15: Pull complete
a2142c0e2d01: Pull complete
47bc69d9a3ac: Pull complete
f083c7fd707b: Pull complete
Digest: sha256:70757f7391115db3ac544c08253d595b09d9655941694b2a4fe4c64cbf492b7f
Status: Downloaded newer image for kylemanna/openvpn:latest
Successfully generated config
4、生成EasyRSA PKI 证书授权中心时,可能会要求你输入CA私有密钥的密码。
[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Generating a 2048 bit RSA private key
....................+++
.............................................................................................................+++
writing new private key to '/etc/openvpn/pki/private/ca.key.XXXXPKEfGd'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....+..........................................................................+................................................................................+..........+...................................................................................................+.....+.........................+.....................+..............................................................................................................................................................................................................+............+............................................................................+.........................+.....................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Generating a 2048 bit RSA private key
..........................................+++
........................................................................................................................+++
writing new private key to '/etc/openvpn/pki/private/li760-160.members.linode.com.key.XXXXLiKPjM'
-----
Using configuration from /usr/share/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'li760-160.members.linode.com'
Certificate is to be certified until Nov 3 06:55:16 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
5、创建一个Upstart初始化文件来自动运行OpenVPN服务进程
[root@li760-160 ~]# cat > /etc/init/docker-openvpn.conf << EOF
description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script
EOF
6、使用Upstart初始化机制来启动进程
[root@li760-160 ~]# start docker-openvpn
docker-openvpn start/running, process 27961
7、通过看STATUS列确认容器开启,容器没有立即崩溃
[root@li760-160 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ea5551261636 kylemanna/openvpn "ovpn_run" 9 seconds ago Up 8 seconds 0.0.0.0:1194->1194/udp sad_colden
[root@li760-160 ~]#
8、生成客户端证书和配置文件
[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full li760-160.members.linode.com.ovpn nopass
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
9、导出配置文件
[root@li760-160 ~]# docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient li760-160.members.linode.com.1.ovpn > li760-160.members.linode.com.1.ovpn
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
10、将配置文件导出到本地电脑
[root@li760-160 ~]# sz li760-160.members.linode.com.1.ovpn
三、测试可用性
[root@li760-160 ~]# ss -unlp |grep :1194
UNCONN 0 0 :::1194 :::* users:(("docker",28025,5))
[root@li760-160 ~]#
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
Linux之在CentOS 6系统上借助docker快速搭建openvpn服务
四、一键脚本
wget -4qO- onekey.sh/docker-openvpn|bash
#!/bin/bash
#########################################################################
# File Name: docker-openvpn.sh
# Author: LookBack
# Email: admin#dwhd.org
# Version:
# Created Time: 2015年11月06日 星期五 17时12分35秒
#########################################################################
if [ $(id -u) != "0" ]; then { echo "Please use the root account to run this script"; exit $?;} ;fi
yum clean all
yum makecache
#yum repolist 2>&1|grep '^\*epel' >/dev/null 2>&1
#[ "$?" = "0" ] && yum install -y docker-io lszrz || { yum install -y epel-release; yum install -y docker-io lszrz; }
if ! yum repolist 2>&1|grep -E '^(\*)?epel' >/dev/null 2>&1; then
yum remove -y epel-release
yum install -y epel-release
fi
if ! awk '{a=substr($3,0,1);exit (a==6)?0:1}' /etc/redhat-release; then
yum update
cat >/etc/yum.repos.d/docker.repo << EOF
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/7
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF
yum install -y docker-engine lszrz
else
yum install -y docker-io lszrz
fi
service docker start
chkconfig docker on
#chkconfig --list docker
OVPN_DATA="ovpn-data"
docker run --name $OVPN_DATA -v /etc/openvpn busybox
read -p "Pls input your domain: " FQDNDomain
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://${FQDNDomain}:1194
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki
cat > /etc/init/docker-openvpn.conf << EOF
description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script
EOF
start docker-openvpn
if docker ps|grep 1194 >/dev/null 2>&1; then echo "OpenVPN installd and running."
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full ${FQDNDomain}.ovpn nopass
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient ${FQDNDomain}.ovpn > ${FQDNDomain}.ovpn
sz ${FQDNDomain}.ovpn && /bin/rm -rf ${FQDNDomain}.ovpn