[email protected]: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2
就表示建立 CT 時, 沒有將 Unprivileged container 打勾取消
vi /etc/pve/lxc/133.conf
: : ostype: debian rootfs: zfs-raid:subvol-133-disk-1,size=8G swap: 512 lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir
chown 100000:100000 /dev/net/tun
確認權限是否修改成功
# ls -l /dev/net/tun crw-rw-rw- 1 100000 100000 10, 200 Jun 3 16:37 /dev/net/tun
pct reboot 133
port 10443 proto tcp dev tun : : # push routes to clients to allow them to reach private subnets push "route 10.20.0.0 255.255.255.0"
service openvpn restart
: : #REMOTE_PORT='1194' REMOTE_PORT='10443' : : remote $SERVER_ADDR $REMOTE_PORT ;proto udp proto tcp remote-cert-tls server :
root@ct-openvpn ~# openvpn-addclient jerry [email protected]
/var/www/openvpn/bin/addprofile jerry
會回傳類似以下的網址 URL: https://vpn.ichiayi.org/profiles/e092f97123456789067ff594c9f8dc0305d81b71/
/etc/cron.hourly/openvpn-profiles-delexpired
這樣上面產生的設定檔下載網址就立即失效
openvpn-revoke jerry
cat /var/log/syslog | grep 'VERIFY OK: depth=0, CN=\| received, client-instance restarting'
cat /etc/openvpn/easy-rsa/keys/index.txt | grep 'V'
cat /etc/openvpn/easy-rsa/keys/index.txt | grep 'R'
vi /etc/lighttpd/lighttpd.conf
: $SERVER["socket"] == ":80" { $HTTP["host"] =~ "(.*)" { url.redirect = ( "^/(.*)" => "https://%1/$1" ) } } $SERVER["socket"] == ":20443" { ssl.engine = "enable" # Note using shared hardened SSL settings include "ssl-params.conf" :
vi /etc/lighttpd/conf-enabled/50-tklcp.conf
: $SERVER["socket"] == ":80" { $HTTP["host"] =~ "(.*)" { url.redirect = ( "^/(.*)" => "https://%1/$1" ) } } $SERVER["socket"] == ":20443" { ssl.engine = "enable" # Note using shared hardened SSL settings include "ssl-params.conf" :
vi /etc/lighttpd/conf-enabled/10-ssl.conf
: $SERVER["socket"] == "0.0.0.0:20443" { ssl.engine = "enable" } : # support for IPv6 HTTPS via Debian script (in 'lighttpd' package) include_shell "/usr/share/lighttpd/use-ipv6.pl 20443"
修改好重啟 lighttpd
systemctl restart lighttpd.service
vi /var/www/openvpn/bin/addprofile
: #SERVER_ADDR=$(grep remote $OVPN_PATH | awk '{print $2;exit}') SERVER_ADDR="172.16.0.246:20443" :
cat /etc/openvpn/server.conf
root@ct-openvpn ~# cat /etc/openvpn/server.conf # PUBLIC_ADDRESS: vpn.iiidevops.org (used by openvpn-addclient) port 443 proto tcp dev tun cipher AES-256-CBC auth SHA256 keepalive 10 120 : : client-config-dir /etc/openvpn/server.ccd client-to-client status /var/log/openvpn/server.log :
systemctl restart openvpn
vi /etc/iptables.up.rules
: *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT : -A INPUT -p udp -m udp --dport 161 -j ACCEPT :
更改後重啟主機或是使用 iptable-restore 讓 firewall 生效
iptable-restore < /etc/iptables.up.rules
apt install sudo -y mkdir -p /opt/openvpn-snmp-stats/db cd /opt/openvpn-snmp-stats wget https://raw.githubusercontent.com/ThierryDi/-openvpn-snmp-stats/main/openvpn.py chmod a+x openvpn.py visudo /etc/sudoers.d/openvpn-stats
Debian-snmp ALL = NOPASSWD: /opt/openvpn-snmp-stats/openvpn.py
vi /etc/snmp/snmpd.conf
: group MyROGroup v2c iiidevops view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.2 view systemview included .1.3.6.1.2.1.25.1.1 view systemview included .1.3.6.1.4.1.8072.1.3.2 : extend wireguard /usr/bin/sudo /opt/openvpn-snmp-stats/openvpn.py
ln -s /var/log/openvpn/server.log /var/log/openvpn/openvpn-status.log systemctl restart snmpd.service
vi /etc/openvpn/server.conf
: status /var/log/openvpn/server.log verb 4 management 0.0.0.0 5555 :
root@ct-devops-vpn ~# netstat -lntp | grep openvpn tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN 88842/openvpn tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 88842/openvpn