Поднимаем openvpn со статическим ip в docker-compose

Поднимаем openvpn со статическим ip в docker-compose

Setup and configure openvpn with docker

mkdir -p /docker-compose/services/openvpn.openvpn.itc-life.ru
git clone https://gitlab.com:devops_containers/dockers.git /tmp/dockers
rsync -r  --exclude='build' /tmp/dockers/app/openvpn/ /docker-compose/services/openvpn.openvpn.itc-life.ru/
cd /docker-compose/services/openvpn.openvpn.itc-life.ru/

Edit file docker-compose.yml

version: '2'
services:
  openvpn:
    image: "registry.gitlab.com/devops_containers/dockers/openvpn:2.5.0-alpine"
    volumes:
      - "./configs/openvpn:/etc/openvpn"
    container_name: openvpn
    hostname: vpnoffice.itc-life.ru
    ports:
     - "1194:1194/udp"
    restart: always
    cap_add:
     - NET_ADMIN
    environment:
     OVPN_SERVER_URL: "udp://vpnoffice.itc-life.ru:1194"
     OVPN_PORT: "1194"

Edit file configs/openvpn/ovpn_env.sh

make changes in config file /ovpn_env.sh


declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=1
declare -x OVPN_CN=openvpn.itc-life.ru
declare -x OVPN_COMP_LZO=0
declare -x OVPN_DEFROUTE=0
declare -x OVPN_DEVICE=tun46
declare -x OVPN_DEVICEN=
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
declare -x OVPN_DNS=0
declare -x OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x EASYRSA_CRL_DAYS='13650'
declare -x OVPN_FRAGMENT=
declare -x OVPN_KEEPALIVE='10 120'
declare -x OVPN_MTU=
declare -x OVPN_NAT=0
declare -x OVPN_PORT=1194
declare -x OVPN_PROTO=udp
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=([0]="10.17.0.0/24")
declare -x OVPN_SERVER=10.17.0.0/24
declare -x OVPN_SERVER_URL=udp://openvpn.itc-life.ru:1194
declare -x OVPN_TLS_CIPHER=

Init service


docker-compose pull
docker-compose run --rm openvpn ovpn_genconfig -u udp://openvpn.itc-life.ru:1194
docker-compose run --rm openvpn touch /etc/openvpn/vars
docker-compose run --rm openvpn ovpn_initpki nopass

Set values


Common Name (eg: your user, host, or server name) [Easy-RSA CA]: openvpn.itc-life.ru

Wait until generated keys

Start service

Configure openvpn – change network and add custom ip for client via add client-config-dir in config

nano configs/openvpn/openvpn.conf 

dev tun22
verb 3
###tls-setting
#tls-version-min 1.0
#tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
#cipher AES-256-CBC
cipher BF-CBC # Шифровать пакеты заданным алгоритмом
#auth SHA512
key /etc/openvpn/pki/private/openvpn.itc-life.ru.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/openvpn.itc-life.ru.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 120
client-to-client
max-clients 500
client-config-dir ccd
#ifconfig-pool-persist /etc/openvpn/ipp.list
proto udp
port 1194
tun-mtu 1500
mtu-disc yes
mssfix
user nobody
group nogroup
topology subnet
persist-tun
persist-key
mode server
tls-server
push "topology subnet"
server 10.17.0.0 255.255.252.0
route 10.17.0.0 255.255.252.0
status /tmp/openvpn-status.log

Edit file configs/openvpn/ovpn_env.sh

declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=1
declare -x OVPN_CN=openvpn.itc-life.ru
declare -x OVPN_COMP_LZO=0
declare -x OVPN_DEFROUTE=0
declare -x OVPN_DEVICE=tun46
declare -x OVPN_DEVICEN=
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
declare -x OVPN_DNS=0
declare -x OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x EASYRSA_CRL_DAYS='13650'
declare -x OVPN_FRAGMENT=
declare -x OVPN_KEEPALIVE='10 120'
declare -x OVPN_MTU=
declare -x OVPN_NAT=0
declare -x OVPN_PORT=1194
declare -x OVPN_PROTO=udp
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=([0]="10.17.0.0/24")
declare -x OVPN_SERVER=10.17.0.0/24
declare -x OVPN_SERVER_URL=udp://openvpn.itc-life.ru:1194
declare -x OVPN_TLS_CIPHER=

I use subnet cal for this porposes on http://www.subnet-calculator.com/subnet.php?net_class=A.

And start up docker


docker-compose up -d openvpn

Generate,delete and list users for openvpn

Gen cert for client with script

./generate-cert.sh "staff_galushko.a.v" "10.17.0.10" "server-prod-01" "255.255.252.0"

List users


docker-compose run --rm openvpn ovpn_listclients

Delete cert

export CLIENTNAME="server-prod-01"
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove

Connect to openvpn server client configure


apt install -y openvpn

Put file config in /etc/openvpn

Edit file /etc/default/openvpn – uncomment string


AUTOSTART="all"

reload config and restart openvpn


systemctl daemon-reload
systemctl restart openvpn

Check ping


ping 10.17.0.1

Create supervisor for openvpn

Install supervisor

apt-get install supervisor
sudo nano /etc/supervisor/conf.d/vpn.conf
[supervisord]
nodaemon=true
environment=HOME="/usr/bin/"
[program:openvpn]
command=/usr/sbin/openvpn --config  /home/user/user1@itc-life.ru.conf
autostart=true
autorestart=true
startretries=3
stderr_logfile=/var/log/openvpn.err
stdout_logfile=/var/log/openvpn.log
[include]
files = /etc/supervisor/conf.d/*.conf

Update supervisor config

suspervisorctl reread && supervisorctl update

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.