1panel面板docker部署OpenVPN

#Docker #OpenVPN #编排功能 #镜像拉取 #配置文件 #证书 #客户端证书 #嵌入式证书 #客户端配置 #安装 #密码资料记录

核心教程:docker-openvpn/docs/docker-compose.md at master · kylemanna/docker-openvpn (github.com)

一、使用编排功能拉取新的镜像

d7b93c7c25fc7f8102995028a8a2136c.png

1
2
3
4
5
6
7
8
9
10
11
12
version: '2'
services:
  openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn:latest  # 使用latest标签来获取最新版本
    container_name: openvpn
    ports:
     - "1194:1194/udp"
    restart: always
    volumes:
     - ./openvpn-data/conf:/etc/openvpn

编排完毕后,检查镜像是否拉取完毕

18c389caf7262d0d6aa873c8c2041452.png

容器自动构建成功

65885ec367f2ceccc3fe2844b030a059.png

二、初始化配置文件和证书

1、在含有 docker-compose 的目录下运行命令docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM

  • udp://VPN.SERVERNAME.COM中的VPN.SERVERNAME.COM要修改为你当前 VPS 的外网 IP 或域名

2251276ced2016986f41221dd65d4e0c.png

输出结果:

4742128399e6e7840c7412264726ce9c.png

2、在同样的目录下运行命令初始化证书

1
docker-compose run --rm openvpn ovpn_initpki

输出结果:

71e128027f851c7876ee7f4afcb5a2f5.png

3f96819c0ffeaa30a0c934ea44ce1f3e.png

运行完毕:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
...................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:commonname

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................................................................................................................................................................++......................................................................................................................+...............................................................+.....................................+........+...........................+............................................................+............................................................................................................................................................+..........................................................................................................................+.........................................................................+.............................................................................................................................................+..........................................................................................+...............................................................................+........................+........+.........................................................................................................................................................................................................................................................................................................+.....................................................+.........................................................................................................................+.................................+.................+.............................++............................................................+............................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
.................................................................................................................................+++++
................................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-72.KCfPPP/tmp.hAdfHa'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-72.KCfPPP/tmp.eOOLeG
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'89.208.247.206'
Certificate is to be certified until Jan 17 11:41:24 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-147.CkJkEd/tmp.lepPeH
Enter pass phrase for /etc/openvpn/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem



三、生成客户端证书

1
2
3
4
5
export CLIENTNAME="your_client_name"  # 它的作用是将一个名为 CLIENTNAME 的环境变量设置为值 "your_client_name"
# with a passphrase (recommended) 下面是设置密码的命令
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
# without a passphrase (not recommended)  下面是不设置设置密码的命令
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass

注:这里生成的密码在这里使用 👇

a394f101ef86394762c45b831e38adb6.png

四、使用嵌入式证书检索客户端配置

1
2
3
docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn

# 还是在刚才的目录下,使用这条命令生成客户端配置文件

运行结果:

7a770d0a1159698e2abfe252d762f0a2.png

使用文件管理工具下载下来:

五、下载安装 openVPN 客户端

下载链接:https://openvpn.net/client/

安装完成后,将刚才下载的 XXXX.opvn 文件拖入其中,并输入密码,连接即可。

win11ppp_DC9.ovpn

六、安装过程的密码资料记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Checking IPv6 Forwarding
Sysctl error for disable_ipv6, please run docker with '--sysctl net.ipv6.conf.all.disable_ipv6=0'
Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'
Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'
Running 'openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --crl-verify /etc/openvpn/crl.pem '
Sun Oct 15 11:42:43 2023 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Sun Oct 15 11:42:43 2023 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Sun Oct 15 11:42:43 2023 Diffie-Hellman initialized with 2048 bit key
Sun Oct 15 11:42:43 2023 CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem
Sun Oct 15 11:42:43 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 15 11:42:43 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 15 11:42:43 2023 ROUTE_GATEWAY 172.20.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:14:00:02
Sun Oct 15 11:42:43 2023 TUN/TAP device tun0 opened
Sun Oct 15 11:42:43 2023 TUN/TAP TX queue length set to 100
Sun Oct 15 11:42:43 2023 /sbin/ip link set dev tun0 up mtu 1500
Sun Oct 15 11:42:43 2023 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Sun Oct 15 11:42:43 2023 /sbin/ip route add 192.168.254.0/24 via 192.168.255.2
Sun Oct 15 11:42:43 2023 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Sun Oct 15 11:42:43 2023 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Oct 15 11:42:43 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Oct 15 11:42:43 2023 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Oct 15 11:42:43 2023 UDPv4 link remote: [AF_UNSPEC]
Sun Oct 15 11:42:43 2023 GID set to nogroup
Sun Oct 15 11:42:43 2023 UID set to nobody
Sun Oct 15 11:42:43 2023 MULTI: multi_init called, r=256 v=256
Sun Oct 15 11:42:43 2023 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Sun Oct 15 11:42:43 2023 Initialization Sequence Completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@host:/opt/1panel/docker/compose/openvpn# export CLIENTNAME="win11ppp_DC9"
root@host:/opt/1panel/docker/compose/openvpn# docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
Using SSL: openssl OpenSSL 1.1.1g  21 Apr 2020
Generating a RSA private key
.....+++++
..............................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.HDPfFg/tmp.FOpKfD'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.HDPfFg/tmp.fcglbn
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'win11ppp_DC9'
Certificate is to be certified until Jan 17 11:53:06 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

root@host:/opt/1panel/docker/compose/openvpn#