Поднимаем openvpn со статическим ip в docker-compose

Опубликовано в Автор: human

Поднимаем openvpn со статическим ip в docker-compose + dnsmasq

Setup and configure openvpn with docker

export OPENVPN_DOMAIN="openvpn.itc-life.ru"
export OPENVPN_PORT="1194"
export OPENVPN_PROTO="udp"
export OPENVPN_INTERFACE="tun50"
export OPENVPN_NETWORK="10.17.0.0/24"
export OPENVPN_NETWORK_MASK="255.255.255.0"
export OPENVPN_PUBLIC_DNS_SERVER="8.8.8.8"
export OPENVPN_NETWORK_FLAT=$(echo $OPENVPN_NETWORK | cut -d\/ -f1)
export OPENVPN_DNS_SERVER_IP="$(echo $(echo $OPENVPN_NETWORK_FLAT | cut -d\. -f1-3).1)"
export OPENVPN_TUN_MTU="1500"
mkdir -p /docker-compose/services/openvpn/${OPENVPN_DOMAIN} /tmp/devops;
git clone https://gitlab.com/devops-f/devops.git /tmp/devops;
rsync -r  --exclude='build' /tmp/devops/files/containers/deploy/openvpn/ /docker-compose/services/openvpn/${OPENVPN_DOMAIN}/
cd /docker-compose/services/openvpn/${OPENVPN_DOMAIN}/
chmod +x openvpn_generate.sh

Edit file docker-compose.yml

cat <<EOF> docker-compose.yml
services:
  openvpn:
    image: registry.gitlab.com/devops-f/devops/openvpn:2.6.5-alpine-v2.0.0
    container_name: ${OPENVPN_DOMAIN}
    hostname: ${OPENVPN_DOMAIN}
    volumes:
     - "./configs/openvpn:/etc/openvpn"
     - "./configs/dnsmasq.d:/etc/dnsmasq.d"
    ports:
     - "${OPENVPN_PORT:-1194}:${OPENVPN_PORT:-1194}/${OPENVPN_PROTO:-udp}"
    restart: always
    cap_add:
     - NET_ADMIN
    privileged: true
    environment:
     OVPN_SERVER_URL: "${OPENVPN_PROTO:-udp}://${OPENVPN_DOMAIN}:${OPENVPN_PORT:-1194}"
     OVPN_PORT: "${OPENVPN_PORT:-1194}"
     EASYRSA_CERT_EXPIRE: "10000"
     SERVICE_DNSMASQ: "true"
EOF
mkdir -p configs/{openvpn,dnsmasq.d}

Edit file configs/openvpn/ovpn_env.sh – config without route all trafic

cat <<EOF> configs/openvpn/ovpn_env.sh
declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=1
declare -x OVPN_CN=${OPENVPN_PORT:-1194}
declare -x OVPN_COMP_LZO=0
declare -x OVPN_DEFROUTE=0
declare -x OVPN_DEVICE=${OPENVPN_INTERFACE:-tun50}
declare -x OVPN_DEVICEN=
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
declare -x OVPN_DNS=0
declare -x OVPN_DNS_SERVERS=([0]="${OPENVPN_PUBLIC_DNS_SERVER:-8.8.8.8}")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x OVPN_FRAGMENT=
declare -x OVPN_KEEPALIVE='10 120'
declare -x OVPN_MTU=
declare -x OVPN_NAT=0
declare -x OVPN_PORT=${OPENVPN_PORT:-1194}
declare -x OVPN_PROTO=${OPENVPN_PROTO:-udp}
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=([0]="${OPENVPN_NETWORK:-10.17.0.0/24}")
declare -x OVPN_SERVER=${OPENVPN_NETWORK:-10.17.0.0/24}
declare -x OVPN_SERVER_URL=${OPENVPN_PROTO:-udp}://${OPENVPN_DOMAIN}:${OPENVPN_PORT:-1194}
declare -x OVPN_TLS_CIPHER=
declare -x EASYRSA_CRL_DAYS='13650'
EOF

Edit file configs/openvpn/ovpn_env.sh – config with "route all traffic" throuth vpn

cat <<EOF> configs/openvpn/ovpn_env.sh
declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=1
declare -x OVPN_CN=${OPENVPN_PORT:-1194}
declare -x OVPN_COMP_LZO=1
declare -x OVPN_DEFROUTE=1
declare -x OVPN_DEVICE=${OPENVPN_INTERFACE:-tun50}
declare -x OVPN_DEVICEN=
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
declare -x OVPN_DNS=0
declare -x OVPN_DNS_SERVERS=([0]="${OPENVPN_PUBLIC_DNS_SERVER:-8.8.8.8}")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x OVPN_FRAGMENT=
declare -x OVPN_KEEPALIVE='10 120'
declare -x OVPN_MTU=1300
declare -x OVPN_NAT=1
declare -x OVPN_PORT=${OPENVPN_PORT:-1194}
declare -x OVPN_PROTO=${OPENVPN_PROTO:-udp}
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=([0]="${OPENVPN_NETWORK:-10.17.0.0/24}")
declare -x OVPN_SERVER=${OPENVPN_NETWORK:-10.17.0.0/24}
declare -x OVPN_SERVER_URL=${OPENVPN_PROTO:-udp}://${OPENVPN_DOMAIN}:${OPENVPN_PORT:-1194}
declare -x OVPN_TLS_CIPHER=
declare -x EASYRSA_CRL_DAYS='13650'
EOF

First time init service openvpn

docker-compose pull
docker-compose run --rm openvpn ovpn_genconfig -u ${OPENVPN_PROTO:-udp}://${OPENVPN_DOMAIN}:${OPENVPN_PORT:-1194}
docker-compose run --rm openvpn touch /etc/openvpn/vars
docker-compose run --rm openvpn ovpn_initpki nopass

Set values


Common Name (eg: your user, host, or server name) [Easy-RSA CA]: openvpn.itc-life.ru

Wait until generated keys

Start service

Configure openvpn – change network and add custom ip for client via add client-config-dir in config


cat <<EOF> "configs/openvpn/openvpn.conf"
dev ${OPENVPN_INTERFACE:-tun50}
verb 3
cipher BF-CBC
key /etc/openvpn/pki/private/${OPENVPN_DOMAIN}.key
cert /etc/openvpn/pki/issued/${OPENVPN_DOMAIN}.crt
ca /etc/openvpn/pki/ca.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 120
client-to-client
max-clients 500
client-config-dir ccd
proto ${OPENVPN_PROTO:-udp}
port ${OPENVPN_PORT:-1194}
tun-mtu ${OPENVPN_TUN_MTU:-1500}
mtu-disc yes
mssfix
user nobody
group nogroup
topology subnet
persist-tun
persist-key
mode server
tls-server
push "topology subnet"
server ${OPENVPN_NETWORK_FLAT} ${OPENVPN_NETWORK_MASK}
route ${OPENVPN_NETWORK_FLAT} ${OPENVPN_NETWORK_MASK}
status /tmp/openvpn-status.log
push "dhcp-option DOMAIN-SEARCH test.itc-life.ru"
push "dhcp-option DNS ${OPENVPN_DNS_SERVER_IP}"
EOF

And start up docker


docker-compose up -d openvpn

Generate,delete and list users for openvpn(example)

Gen cert for client with script

./openvpn_generate.sh "staff_galushko.a.v" "10.17.0.10" "openvpn.itc-life.ru" "255.255.255.0"

List users


docker-compose run --rm openvpn ovpn_listclients

Delete cert

export CLIENTNAME="server-prod-01"
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove

Connect to openvpn server client configure


apt install -y openvpn

Put file config in /etc/openvpn

Edit file /etc/default/openvpn – uncomment string


AUTOSTART="all"

reload config and restart openvpn


systemctl daemon-reload
systemctl restart openvpn

Check ping


ping 10.17.0.1

Create supervisor for openvpn

Install supervisor

apt-get install supervisor
sudo nano /etc/supervisor/conf.d/vpn.conf
[supervisord]
nodaemon=true
environment=HOME="/usr/bin/"
[program:openvpn]
command=/usr/sbin/openvpn --config  /home/user/user1@itc-life.ru.conf
autostart=true
autorestart=true
startretries=3
stderr_logfile=/var/log/openvpn.err
stdout_logfile=/var/log/openvpn.log
[include]
files = /etc/supervisor/conf.d/*.conf

Update supervisor config

suspervisorctl reread && supervisorctl update

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.