安裝 ovpn-admin (OpenVPN + 簡易 WebUI) 方案

  • 為解決 DockOVPN (OpenVPN Docker方案) 無 WebUI 可管理 VPN 帳號, 因此找到這 ovpn-admin 方案
  • 安裝環境
    • VM : 2 vCore, 2G RAM, 32G SSD
    • OS : Alpine 3.19 + Docker Compose
  • 規劃環境
    • OpenVPN 內部網路 : 10.16.0.0/24
    • 外部聯入 VPN : vpn.mydomain.com TCP Port 443
  1. Alpine 3.19 Kernel 啟用 ip_tables

    modprobe ip_tables
    echo 'ip_tables' >> /etc/modules
    reboot

  2. 編輯 docker-compose.yml
    services:
      openvpn:
        container_name: openvpn
        restart: unless-stopped
        image: flant/ovpn-admin:openvpn-latest
        command: /etc/openvpn/setup/configure.sh
        environment:
          OVPN_SERVER_NET: "10.16.0.0"
          OVPN_SERVER_MASK: "255.255.255.0"
          OVPN_PASSWD_AUTH: "true"
        cap_add:
          - NET_ADMIN
        ports:
          - 443:1194 # for openvpn
        volumes:
          - ./easyrsa_master:/etc/openvpn/easyrsa
          - ./ccd_master:/etc/openvpn/ccd
          - ./Dockovpn:/tmp
          #- ./openvpn.conf:/etc/openvpn/setup/openvpn.conf
      ovpn-admin:
        container_name: ovpn-admin
        restart: unless-stopped
        image: flant/ovpn-admin
        command: /app/ovpn-admin
        environment:
          OVPN_DEBUG: "true"
          OVPN_VERBOSE: "true"
          OVPN_NETWORK: "10.16.0.0/24"
          OVPN_CCD: "true"
          OVPN_CCD_PATH: "/mnt/ccd"
          EASYRSA_PATH: "/mnt/easyrsa"
          OVPN_SERVER: "vpn.mydomain.com:443:tcp"
          OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
          OVPN_AUTH: "true"
          OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
          LOG_LEVEL: "debug"
        network_mode: service:openvpn
        volumes:
          - ./easyrsa_master:/mnt/easyrsa
          - ./ccd_master:/mnt/ccd
      openvpn-monitor:
        container_name: openvpn-monitor
        restart: unless-stopped
        image: ruimarinho/openvpn-monitor
        environment:
          TZ: "Asia/Taipei"
          OPENVPNMONITOR_DEFAULT_DATETIMEFORMAT: "%%Y/%%m/%%d %%H:%%M:%%S"
          OPENVPNMONITOR_SITES_0_SHOWDISCONNECT: "False"
          OPENVPNMONITOR_SITES_0_PORT: "8989"
          OPENVPNMONITOR_SITES_0_NAME: "openvpn"
          OPENVPNMONITOR_SITES_0_HOST: "localhost"
          OPENVPNMONITOR_SITES_0_ALIAS: "openvpn"
          OPENVPNMONITOR_DEFAULT_SITE: "My OpenVPN Sever"
          OPENVPNMONITOR_DEFAULT_MAPS: "True"
          OPENVPNMONITOR_DEFAULT_LONGITUDE: "121.51"
          OPENVPNMONITOR_DEFAULT_LOGO: ""
          OPENVPNMONITOR_DEFAULT_LATITUDE: "24.98"
        network_mode: service:openvpn
      nginx:
        container_name: nginx
        restart: unless-stopped
        image: nginx:latest
        ports:
          - 8080:8080 # for nginx
        volumes:
          - ./.htpasswd:/etc/nginx/.htpasswd:ro
          - ./default.conf:/etc/nginx/conf.d/default.conf:ro
  3. 編輯 default.conf
    server {
      listen 8080;
      server_name 127.0.0.1;
    
      location /mon {
        rewrite /mon(.*) /$1 break;
        proxy_pass http://openvpn:80;
      }
    
      location / {
        auth_basic           "Pass";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://openvpn:8080;
      }
    }
  4. 產生管理者帳號密碼檔 .htpasswd Exp. 建立管理者 jonathan

    apk add apache2-utils
    htpasswd -c .htpasswd jonathan
    cat .htpasswd

    應該可以看到類似 jonathan:$arpxxxxxxxxxxx 這樣的內容, 之後新增其他帳號就不需要 -c Exp. htpasswd .htpasswd myadm

    如果要驗證 htpasswd 設定的密碼是否正確, 可以用 htpasswd -vb .htpasswd 帳號 密碼 進行驗證 Exp.

    ovpn-admin-246:~# htpasswd -vb .htpasswd myadm MyPasswod***
    Password for user everstar correct.
  5. 啟動 ovpn-admin 服務

    mkdir -p Dockovpn
    chmod a+w Dockovpn
    docker compose up -d

  • 安裝 openvpn.py

    apk add --update --no-cache python3
    ln -sf python3 /usr/bin/python
    mkdir -p /opt/openvpn-snmp-stats/db
    cd /opt/openvpn-snmp-stats
    wget https://raw.githubusercontent.com/tryweb/-openvpn-snmp-stats/alpine3/openvpn.py
    chmod a+x openvpn.py

    安裝後可以先執行驗證 Exp.

    openvpn-61:~# /opt/openvpn-snmp-stats/openvpn.py
    {"errorString": "", "error": 0, "version": 1, "data": {"tun0": {"iv9614": {"minutes_since_last_handshake": 506, "bytes_rcvd": 106350, "bytes_sent": 78677}, "jonathan_pixel5": {"minutes_since_last_handshake": 535, "bytes_rcvd": 23584, "bytes_sent": 37931}, "jonathan": {"minutes_since_last_handshake": 536, "bytes_rcvd": 7086888, "bytes_sent": 41041820}, "UNDEF": {"minutes_since_last_handshake": 495, "bytes_rcvd": 0, "bytes_sent": 0}}}}

  • 設定 snmpd.conf

    vi /etc/snmp/snmpd.conf

    :
    
    extend wireguard /opt/openvpn-snmp-stats/openvpn.py
    service snmpd restart
  • 將 /etc/openvpn/setup/openvpn.conf 複製出來, 改成自己想要的版本, 在掛上去使用
  • 處理方式
    1. docker cp openvpn:/etc/openvpn/setup/openvpn.conf .

    2. vi openvpn.conf

      Exp. 加上 route 172.16.0.0/24 , route 172.16.1.0/24

      :
      push "route 172.16.0.0 255.255.255.0"
      push "route 172.16.1.0 255.255.255.0"
    3. vi docker-compose.yml

      啟用 openvpn: → volumes: → ./openvpn.conf:/etc/openvpn/setup/openvpn.conf

      services:
        openvpn:
        :
        :
          volumes:
            - ./easyrsa_master:/etc/openvpn/easyrsa
            - ./ccd_master:/etc/openvpn/ccd
            - ./Dockovpn:/tmp
            - ./openvpn.conf:/etc/openvpn/setup/openvpn.conf
        :
    4. 重新啟動 docker compose 讓設定生效

      docker compose up -d

    5. 讓所有 VPN Client 斷線重新連入
  • 目前版本 configure.sh 內是直接寫 Listen TCP , 除非比照 openvpn.conf 方式自己修改後掛上去處理
    :
    openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}
  • tech/ovpn-admin.txt
  • 上一次變更: 2024/07/14 19:02
  • jonathan