Поднимаем openvpn со статическим ip в docker-compose

openvpn with docker-compose

build docker

Clone repo

mkdir -p /docker-compose/services
cd /docker-compose/services
git clone https://gitlab.com/itc-life/openvpn.git
cd openvpn

Edit file

configs/openvpn/ovpn_env.sh

make changes in config file /ovpn_env.sh

OVPN_CN
OVPN_SERVER_URL
EASYRSA_CRL_DAYS
OVPN_DEVICE=tun22(change number interface)

Init service

docker-compose pull
docker-compose run --rm openvpn ovpn_genconfig -u udp://openvpn.itc-life.ru
docker-compose run --rm openvpn ovpn_initpki nopass

Set values

Common Name (eg: your user, host, or server name) [Easy-RSA CA]: openvpn.itc-life.ru

Wait until generated keys

Start service

Configure openvpn – change network and add custom ip for client via add client-config-dir in config

nano configs/openvpn/openvpn.conf
dev tun22
verb 3
###tls-setting
#tls-version-min 1.0
#tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
#cipher AES-256-CBC
cipher BF-CBC # Шифровать пакеты заданным алгоритмом
#auth SHA512
key /etc/openvpn/pki/private/openvpn.itc-life.ru.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/openvpn.itc-life.ru.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 120
client-to-client
max-clients 500
client-config-dir ccd
#ifconfig-pool-persist /etc/openvpn/ipp.list
proto udp
port 1194
tun-mtu 1500
mtu-disc yes
mssfix
user nobody
group nogroup
topology subnet
persist-tun
persist-key
mode server
tls-server
push "topology subnet"
server 10.17.0.0 255.255.252.0
route 10.17.0.0 255.255.252.0
status /tmp/openvpn-status.log

Edit file

configs/openvpn/ovpn_env.sh
declare -x OVPN_AUTH=
declare -x OVPN_CIPHER=
declare -x OVPN_CLIENT_TO_CLIENT=
declare -x OVPN_CN=openvpn.itc-life.ru
declare -x OVPN_DEFROUTE=0
declare -x OVPN_DEVICE=tun22
declare -x OVPN_DEVICEN=
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
declare -x OVPN_DNS=0
declare -x OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4")
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
declare -x OVPN_EXTRA_CLIENT_CONFIG=()
declare -x OVPN_EXTRA_SERVER_CONFIG=()
declare -x OVPN_FRAGMENT=
declare -x EASYRSA_CRL_DAYS='13650'
declare -x OVPN_KEEPALIVE='10 120'
declare -x OVPN_MTU=
declare -x OVPN_NAT=0
declare -x OVPN_PORT=1194
declare -x OVPN_PROTO=udp
declare -x OVPN_PUSH=()
declare -x OVPN_ROUTES=([0]="10.17.0.0/22")
declare -x OVPN_SERVER=10.17.0.0/22
declare -x OVPN_SERVER_URL=udp://openvpn.itc-life.ru
declare -x OVPN_TLS_CIPHER=

I use subnet cal for this porposes on http://www.subnet-calculator.com/subnet.php?net_class=A.

And start up docker

docker-compose up -d openvpn

Generate,delete and list users for openvpn

Gen cert for client

Add staic ip addr

mkdir -p keys
export CLIENTNAME="your_client_name"
docker exec -i -u 0 openvpn sh -c "export CLIENTNAME=\"your_client_name\" && easyrsa build-client-full $CLIENTNAME nopass"
docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > keys/$CLIENTNAME.conf
echo 'ifconfig-push 10.17.0.2  255.255.252.0' > configs/openvpn/ccd/$CLIENTNAME

Delete cert

docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove

List users

docker exec -i -u 0 openvpn sh -c 'ovpn_listclients'

Connect to openvpn server client configure

apt install -y openvpn

Put file config in /etc/openvpn

Edit file /etc/default/openvpn – uncomment string

AUTOSTART="all"

reload config and restart openvpn

systemctl daemon-reload
systemctl restart openvpn

Check ping

ping 10.17.0.1

Create supervisor for openvpn

Install supervisor

apt-get install supervisor
sudo nano /etc/supervisor/conf.d/vpn.conf
[supervisord]
nodaemon=true
environment=HOME="/usr/bin/"
[program:openvpn]
command=/usr/sbin/openvpn --config  /home/user/user1@itc-life.ru.conf
autostart=true
autorestart=true
startretries=3
stderr_logfile=/var/log/openvpn.err
stdout_logfile=/var/log/openvpn.log
[include]
files = /etc/supervisor/conf.d/*.conf

Update supervisor config

suspervisorctl reread && supervisorctl update

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

 

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.