安裝 ovpn-admin (OpenVPN + 簡易 WebUI) 方案
- 為解決 DockOVPN (OpenVPN Docker方案) 無 WebUI 可管理 VPN 帳號, 因此找到這 ovpn-admin 方案
- 安裝環境
- VM : 2 vCore, 2G RAM, 32G SSD
- OS : Alpine 3.19 + Docker Compose
- 規劃環境
- OpenVPN 內部網路 : 10.16.0.0/24
- 外部聯入 VPN : vpn.mydomain.com TCP Port 443
安裝設定
- Alpine 3.19 Kernel 啟用 ip_tables
modprobe ip_tables echo 'ip_tables' >> /etc/modules reboot
- 編輯 docker-compose.yml
services: openvpn: container_name: openvpn restart: unless-stopped image: flant/ovpn-admin:openvpn-latest command: /etc/openvpn/setup/configure.sh environment: OVPN_SERVER_NET: "10.16.0.0" OVPN_SERVER_MASK: "255.255.255.0" OVPN_PASSWD_AUTH: "true" cap_add: - NET_ADMIN ports: - 443:1194 # for openvpn volumes: - ./easyrsa_master:/etc/openvpn/easyrsa - ./ccd_master:/etc/openvpn/ccd - ./Dockovpn:/tmp #- ./openvpn.conf:/etc/openvpn/setup/openvpn.conf ovpn-admin: container_name: ovpn-admin restart: unless-stopped image: flant/ovpn-admin command: /app/ovpn-admin environment: OVPN_DEBUG: "true" OVPN_VERBOSE: "true" OVPN_NETWORK: "10.16.0.0/24" OVPN_CCD: "true" OVPN_CCD_PATH: "/mnt/ccd" EASYRSA_PATH: "/mnt/easyrsa" OVPN_SERVER: "vpn.mydomain.com:443:tcp" OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt" OVPN_AUTH: "true" OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db" LOG_LEVEL: "debug" network_mode: service:openvpn volumes: - ./easyrsa_master:/mnt/easyrsa - ./ccd_master:/mnt/ccd openvpn-monitor: container_name: openvpn-monitor restart: unless-stopped image: ruimarinho/openvpn-monitor environment: TZ: "Asia/Taipei" OPENVPNMONITOR_DEFAULT_DATETIMEFORMAT: "%%Y/%%m/%%d %%H:%%M:%%S" OPENVPNMONITOR_SITES_0_SHOWDISCONNECT: "False" OPENVPNMONITOR_SITES_0_PORT: "8989" OPENVPNMONITOR_SITES_0_NAME: "openvpn" OPENVPNMONITOR_SITES_0_HOST: "localhost" OPENVPNMONITOR_SITES_0_ALIAS: "openvpn" OPENVPNMONITOR_DEFAULT_SITE: "My OpenVPN Sever" OPENVPNMONITOR_DEFAULT_MAPS: "True" OPENVPNMONITOR_DEFAULT_LONGITUDE: "121.51" OPENVPNMONITOR_DEFAULT_LOGO: "" OPENVPNMONITOR_DEFAULT_LATITUDE: "24.98" network_mode: service:openvpn nginx: container_name: nginx restart: unless-stopped image: nginx:latest ports: - 8080:8080 # for nginx volumes: - ./.htpasswd:/etc/nginx/.htpasswd:ro - ./default.conf:/etc/nginx/conf.d/default.conf:ro
- 編輯 default.conf
server { listen 8080; server_name 127.0.0.1; location /mon { rewrite /mon(.*) /$1 break; proxy_pass http://openvpn:80; } location / { auth_basic "Pass"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://openvpn:8080; } }
- 產生管理者帳號密碼檔 .htpasswd Exp. 建立管理者 jonathan
apk add apache2-utils htpasswd -c .htpasswd jonathan cat .htpasswd
應該可以看到類似 jonathan:$arpxxxxxxxxxxx 這樣的內容, 之後新增其他帳號就不需要 -c Exp. htpasswd .htpasswd myadm
如果要驗證 htpasswd 設定的密碼是否正確, 可以用 htpasswd -vb .htpasswd 帳號 密碼 進行驗證 Exp.
ovpn-admin-246:~# htpasswd -vb .htpasswd myadm MyPasswod*** Password for user everstar correct.
- 啟動 ovpn-admin 服務
mkdir -p Dockovpn chmod a+w Dockovpn docker compose up -d
- 如果要管理 vpn 帳號 - http://server-ip:8080/
- 如果要看線上 vpn 用戶 - http://server-ip:8080/mon
安裝 openvpn-snmp-stats 強化監控
- 安裝 openvpn.py
apk add --update --no-cache python3 ln -sf python3 /usr/bin/python mkdir -p /opt/openvpn-snmp-stats/db cd /opt/openvpn-snmp-stats wget https://raw.githubusercontent.com/tryweb/-openvpn-snmp-stats/alpine3/openvpn.py chmod a+x openvpn.py
安裝後可以先執行驗證 Exp.
openvpn-61:~# /opt/openvpn-snmp-stats/openvpn.py {"errorString": "", "error": 0, "version": 1, "data": {"tun0": {"iv9614": {"minutes_since_last_handshake": 506, "bytes_rcvd": 106350, "bytes_sent": 78677}, "jonathan_pixel5": {"minutes_since_last_handshake": 535, "bytes_rcvd": 23584, "bytes_sent": 37931}, "jonathan": {"minutes_since_last_handshake": 536, "bytes_rcvd": 7086888, "bytes_sent": 41041820}, "UNDEF": {"minutes_since_last_handshake": 495, "bytes_rcvd": 0, "bytes_sent": 0}}}}
- 設定 snmpd.conf
vi /etc/snmp/snmpd.conf
: extend wireguard /opt/openvpn-snmp-stats/openvpn.py
service snmpd restart
FAQ
1. 想修改 server.conf
- 將 /etc/openvpn/setup/openvpn.conf 複製出來, 改成自己想要的版本, 在掛上去使用
- 處理方式
docker cp openvpn:/etc/openvpn/setup/openvpn.conf .
vi openvpn.conf
Exp. 加上 route 172.16.0.0/24 , route 172.16.1.0/24
: push "route 172.16.0.0 255.255.255.0" push "route 172.16.1.0 255.255.255.0"
vi docker-compose.yml
啟用 openvpn: → volumes: → ./openvpn.conf:/etc/openvpn/setup/openvpn.conf
services: openvpn: : : volumes: - ./easyrsa_master:/etc/openvpn/easyrsa - ./ccd_master:/etc/openvpn/ccd - ./Dockovpn:/tmp - ./openvpn.conf:/etc/openvpn/setup/openvpn.conf :
- 重新啟動 docker compose 讓設定生效
docker compose up -d
- 讓所有 VPN Client 斷線重新連入
2. 想修改 Openvpn 為 UDP 模式
- 目前版本 configure.sh 內是直接寫 Listen TCP , 除非比照 openvpn.conf 方式自己修改後掛上去處理
: openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}