热门标签
热门文章
- 1Linux crash调试(一)
- 2 Akka系列(七):Actor持久化之Akka persistence
- 3CentOS7安装搜狗输入法_错误:依赖检测失败: libfcitxqt5dbusaddons.so.1()(64bit) 被 s
- 4解决错误OSError: [WinError 10013] 以一种访问权限不允许的方式做了一个访问套接字的尝试。
- 5最强内网穿透工具frp_frp官网
- 6C++ 向量(vector)_c++向量
- 7旧网站(IIS6+ASP)进行SSL证书使用https访问_asp ssl
- 8C++日记——Day5:迭代器、begin()/end(),rbegin()/rend()、迭代器失效、const_iterator_const_iterator指向不存在怎样判定
- 9物联网的应用涉及生活的方方面面,在这里介绍一下物联网的多种应用场景_物联网已深入到现在生活的方方面面,根据课程所学,就某一应用场景提出你的应用
- 10文件上传时提示NET:ERR_CONNECTION_RESET_net::err_connection_reset
当前位置: article > 正文
容器化部署openvpn,访问策略配置_openvn访问策略
作者:Gausst松鼠会 | 2024-03-02 22:10:26
赞
踩
openvn访问策略
参考:
linux中用iptables开启指定端口
openvpn 为指定客户端配置规则和访问策略
dockerhub 镜像地址
linux基于docker安装openvpn服务端及客户端
cert.pem和key.pem文件生成
1、openvpn容器部署及配置
- 设置环境变量(docker volume 名称,example 可以替换为自己的设定的)
OVPN_DATA="ovpn-data-example"
- 1
- 初始化$OVPN_DATA将保存配置文件和证书的容器。容器将提示输入密码来保护新生成的证书颁发机构使用的私钥
#新建容器卷
docker volume create --name $OVPN_DATA
#生成配置文件信息,服务器地址VPN.SERVERNAME.COM替换为自己的公网IP或者域名
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
#初始化生成密钥,
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
- 1
- 2
- 3
- 4
- 5
- 6
启动过程中需要输入域名和证书密码:例如此处输入:vpn123pwd
init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/pki Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Enter New CA Key Passphrase: #此处输入密码 Re-Enter New CA Key Passphrase: #此处确认密码 Generating RSA private key, 2048 bit long modulus (2 primes) .................+++++ .......................................+++++ e is 65537 (0x010001) Can not load /etc/openvpn/pki/.rnd into RNG 140360007494984:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/openvpn/pki/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- ######此处输入公网地址或者域名 #### Common Name (eg: your user, host, or server name) [Easy-RSA CA]:VPN.SERVERNAME.COM CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/pki/ca.crt Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................+.........................................................................++*++*++*++* DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Generating a RSA private key ...............+++++ ...............................................................................+++++ writing new private key to '/etc/openvpn/pki/private/openvpn.gongstring.com.key.XXXXcMLjEc' ----- Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject is Distinguished Name is as follows commonName :ASN.1 12:'openvpn.gongstring.com' Certificate is to be certified until Aug 5 07:14:33 2023 GMT (1080 days) Write out database with 1 new entries Data Base Updated Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf ## 此处输入密码 Enter pass phrase for /etc/openvpn/pki/private/ca.key: An updated CRL has been created. CRL file: /etc/openvpn/pki/crl.pem
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 启动 OpenVPN 服务器进程
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
- 1
- 生成客户端证书(可多次生成)
中间会需要添加上面的密码:vpn123pwd
# CLIENTNAME为客户端名,可以替换成自己的用户名
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
- 1
- 2
- 导出证书给客户端使用
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
- 1
- 防火墙开放端口
防火墙开放允许1194/udp 访问
- 客户端使用,windows
下载openvpn客户端:
链接:https://pan.baidu.com/s/1oUKLTWeektDbfhivQ94xGw
提取码:715u
安装完成后导入配置CLIENTNAME.ovpn,即可连接
2、openvpn 访问权限设置
- 查看openvpn配置文件
# 宿主机默认位置(未修改docker根目录) cd /var/lib/docker/volumes/ovpn-data-jnby/_data/ ls -l ./ 总用量 24 drwxr-xr-x 2 root root 19 7月 1 11:55 ccd #目录下配置文件中定义,拨入到vpn的用户设置固定的地址 -rw-r--r-- 1 root root 658 7月 1 10:02 crl.pem -rwxr-xr-x 1 root root 960 4月 21 2020 down.sh #停止脚本 -rw-r--r-- 1 root root 1141 7月 1 12:19 iptables -rw-r--r-- 1 root root 644 7月 1 10:00 openvpn.conf #server配置文件 -rw-r--r-- 1 root root 808 7月 1 10:00 ovpn_env.sh #环境变量脚本 drwx------ 8 root root 329 7月 1 10:52 pki #公钥证书文件目录 -rwxr-xr-x 1 root root 2612 4月 21 2020 up.sh #启动脚本 #查看server配置目录 cat openvpn.conf #客户端dhcp地址池 server 192.168.255.0 255.255.255.0 verb 3 key /etc/openvpn/pki/private/VPN.SERVERNAME.COM.key ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/issued/VPN.SERVERNAME.COM.crt dh /etc/openvpn/pki/dh.pem tls-auth /etc/openvpn/pki/ta.key key-direction 0 keepalive 10 60 persist-key persist-tun proto udp # Rely on Docker to do port mapping, internally always 1194 port 1194 dev tun0 status /tmp/openvpn-status.log user nobody group nogroup comp-lzo no ### Route Configurations Below route 192.168.254.0 255.255.255.0 ### Push Configurations Below push "block-outside-dns" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "comp-lzo no"
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 添加用户拨入固定IP分配设置
# CLIENTNAME 为1.4中设置的用户名
vim CLIENTNAME
#添加如下内容,CLIENTNAME固定IP为192.168.254.5,192.168.254.6
ifconfig-push 192.168.254.5 192.168.254.6
- 1
- 2
- 3
- 4
特别注意: ifconfig-push中的每一对IP地址表示虚拟客户端和服务器的IP端点。它们必须从连续的/30子网网段中获取(这里是/30表示xxx.xxx.xxx.xxx/30,即子网掩码位数为30),以便于与Windows客户端和TAP-Windows驱动兼容。明确地说,每个端点的IP地址对的最后8位字节必须取自下面的集合。 [ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
- 客户端验证ip地址分配
#windows 查看连接状态
Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.254.5/255.255.255.252 on interface
{xxxxxx} [DHCP-serv: 192.168.254.6, lease-time: 31536000]
- 1
- 2
- 3
- 添加访问策略与权限
#默认内网开放,可以使用交换机器acl设置策略,也可以使用iptables 在容器内设置规则 #1、进入容器交互 docker exec -it containername bash #2、查看IPtables 规则 bash-5.0# iptables -L -n -v Chain INPUT (policy ACCEPT 49449 packets, 26M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 112K packets, 70M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 67051 packets, 50M bytes) pkts bytes target prot opt in out source destination #3、添加iptables规则 #允许IP访问权限 bash-5.0# iptables -I FORWARD -i tun0 -s 192.168.254.5 -d 10.2.2.3 -j ACCEPT bash-5.0# iptables -I FORWARD -i tun0 -s 192.168.254.6 -d 10.2.2.3 -j ACCEPT #允许端口访问权限 bash-5.0# iptables -I FORWARD -i tun0 -s 192.168.254.5 -d 10.2.2.14 -ptcp --dport 7180 -j ACCEPT #拒绝网段内其他地址访问权限 bash-5.0# iptables -A FORWARD -i tun0 -s 192.168.254.5 -d 10.2.2.0/24 -j DROP bash-5.0# iptables -A FORWARD -i tun0 -s 192.168.254.6 -d 10.2.2.0/24 -j DROP # 4、在客户端连接测试访问权限 略略略 # 5、保存iptables 配置 bash-5.0#iptables-save > /etc/openvpn/iptables # 6、导入iptables 配置(备用) bash-5.0# iptables-restore < /etc/openvpn/iptables #查看iptables 配置文件 bash-5.0#iptables-save # Generated by iptables-save v1.8.4 on Thu Jul 1 07:05:07 2021 *filter :INPUT ACCEPT [1026:245528] :FORWARD ACCEPT [1474:763507] :OUTPUT ACCEPT [787:636748] -A FORWARD -s 192.168.254.5/32 -d 10.2.2.14/32 -i tun0 -p tcp -m tcp --dport 7180 -j ACCEPT -A FORWARD -s 192.168.254.6/32 -d 10.2.2.3/32 -i tun0 -j ACCEPT -A FORWARD -s 192.168.254.5/32 -d 10.2.2.3/32 -i tun0 -j ACCEPT -A FORWARD -s 192.168.254.5/32 -d 10.2.2.0/24 -i tun0 -j DROP -A FORWARD -s 192.168.254.6/32 -d 10.2.2.0/24 -i tun0 -j DROP COMMIT # Completed on Thu Jul 1 07:05:07 2021 # Generated by iptables-save v1.8.4 on Thu Jul 1 07:05:07 2021 *nat :PREROUTING ACCEPT [1247:80359] :INPUT ACCEPT [2:140] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Jul 1 07:05:07 2021
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
声明:本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
