====== 安裝 ovpn-admin (OpenVPN + 簡易 WebUI) 方案 ======
* 為解決 [[tech/dockovpn|DockOVPN (OpenVPN Docker方案)]] 無 WebUI 可管理 VPN 帳號, 因此找到這 **[[https://github.com/flant/ovpn-admin|ovpn-admin]]** 方案
* 安裝環境
* VM : 2 vCore, 2G RAM, 32G SSD
* OS : Alpine 3.21 + Docker Compose
* 規劃環境
* OpenVPN 內部網路 : 10.16.0.0/24
* 外部聯入 VPN : vpn.mydomain.com TCP Port 443
===== 安裝設定 =====
- Alpine 3.21 Kernel 啟用 ip_tables
modprobe ip_tables
echo 'ip_tables' >> /etc/modules
reboot
- 加上 tun device
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
# 檢查模組是否已載入
lsmod | grep tun
# 如果沒有載入,則執行:
modprobe tun
echo "tun" >> /etc/modules
- 編輯 docker-compose.yml
services:
openvpn:
container_name: openvpn
restart: unless-stopped
image: flant/ovpn-admin:openvpn-latest
command: /etc/openvpn/setup/configure.sh
environment:
OVPN_SERVER_NET: "10.16.0.0"
OVPN_SERVER_MASK: "255.255.255.0"
OVPN_PASSWD_AUTH: "true"
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
ports:
- 443:1194 # for openvpn
volumes:
- ./easyrsa_master:/etc/openvpn/easyrsa
- ./ccd_master:/etc/openvpn/ccd
- ./Dockovpn:/tmp
#- ./openvpn.conf:/etc/openvpn/setup/openvpn.conf
ovpn-admin:
container_name: ovpn-admin
restart: unless-stopped
image: flant/ovpn-admin
command: /app/ovpn-admin
environment:
OVPN_DEBUG: "true"
OVPN_VERBOSE: "true"
OVPN_NETWORK: "10.16.0.0/24"
OVPN_CCD: "true"
OVPN_CCD_PATH: "/mnt/ccd"
EASYRSA_PATH: "/mnt/easyrsa"
OVPN_SERVER: "vpn.mydomain.com:443:tcp"
OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
OVPN_AUTH: "true"
OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
LOG_LEVEL: "debug"
network_mode: service:openvpn
volumes:
- ./easyrsa_master:/mnt/easyrsa
- ./ccd_master:/mnt/ccd
openvpn-monitor:
container_name: openvpn-monitor
restart: unless-stopped
image: ruimarinho/openvpn-monitor
environment:
TZ: "Asia/Taipei"
OPENVPNMONITOR_DEFAULT_DATETIMEFORMAT: "%%Y/%%m/%%d %%H:%%M:%%S"
OPENVPNMONITOR_SITES_0_SHOWDISCONNECT: "False"
OPENVPNMONITOR_SITES_0_PORT: "8989"
OPENVPNMONITOR_SITES_0_NAME: "openvpn"
OPENVPNMONITOR_SITES_0_HOST: "localhost"
OPENVPNMONITOR_SITES_0_ALIAS: "openvpn"
OPENVPNMONITOR_DEFAULT_SITE: "My OpenVPN Sever"
OPENVPNMONITOR_DEFAULT_MAPS: "True"
OPENVPNMONITOR_DEFAULT_LONGITUDE: "121.51"
OPENVPNMONITOR_DEFAULT_LOGO: ""
OPENVPNMONITOR_DEFAULT_LATITUDE: "24.98"
network_mode: service:openvpn
nginx:
container_name: nginx
restart: unless-stopped
image: nginx:latest
ports:
- 8080:8080 # for nginx
volumes:
- ./.htpasswd:/etc/nginx/.htpasswd:ro
- ./default.conf:/etc/nginx/conf.d/default.conf:ro
- 編輯 default.conf
server {
listen 8080;
server_name 127.0.0.1;
location /mon {
rewrite /mon(.*) /$1 break;
proxy_pass http://openvpn:80;
}
location / {
auth_basic "Pass";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://openvpn:8080;
}
}
- 產生管理者帳號密碼檔 .htpasswd Exp. 建立管理者 jonathan
apk add apache2-utils
htpasswd -c .htpasswd jonathan
cat .htpasswd
應該可以看到類似 jonathan:$arpxxxxxxxxxxx 這樣的內容, 之後新增其他帳號就不需要 -c Exp. htpasswd .htpasswd myadm
如果要驗證 htpasswd 設定的密碼是否正確, 可以用 **htpasswd -vb .htpasswd 帳號 密碼** 進行驗證 Exp.
ovpn-admin-246:~# htpasswd -vb .htpasswd myadm MyPasswod***
Password for user everstar correct.
- 啟動 ovpn-admin 服務
mkdir -p Dockovpn
chmod a+w Dockovpn
docker compose up -d
* 如果要管理 vpn 帳號 - http://server-ip:8080/
* ++看範例畫面|{{:tech:螢幕擷取畫面_2024-06-25_155418.png|}}++
* 如果要看線上 vpn 用戶 - http://server-ip:8080/mon
* ++看範例畫面|{{:tech:螢幕擷取畫面_2024-06-25_155441.png|}}++
===== 安裝 openvpn-snmp-stats 強化監控 =====
* 參考 - https://github.com/tryweb/-openvpn-snmp-stats/tree/alpine3
* 安裝 openvpn.py
apk add --update --no-cache python3
ln -sf python3 /usr/bin/python
mkdir -p /opt/openvpn-snmp-stats/db
cd /opt/openvpn-snmp-stats
wget https://raw.githubusercontent.com/tryweb/-openvpn-snmp-stats/alpine3/openvpn.py
chmod a+x openvpn.py
安裝後可以先執行驗證 Exp.
openvpn-61:~# /opt/openvpn-snmp-stats/openvpn.py
{"errorString": "", "error": 0, "version": 1, "data": {"tun0": {"iv9614": {"minutes_since_last_handshake": 506, "bytes_rcvd": 106350, "bytes_sent": 78677}, "jonathan_pixel5": {"minutes_since_last_handshake": 535, "bytes_rcvd": 23584, "bytes_sent": 37931}, "jonathan": {"minutes_since_last_handshake": 536, "bytes_rcvd": 7086888, "bytes_sent": 41041820}, "UNDEF": {"minutes_since_last_handshake": 495, "bytes_rcvd": 0, "bytes_sent": 0}}}}
* 設定 snmpd.conf
vi /etc/snmp/snmpd.conf
:
extend wireguard /opt/openvpn-snmp-stats/openvpn.py
service snmpd restart
===== FAQ =====
==== 1. 想修改 server.conf =====
* 參考 - https://github.com/flant/ovpn-admin/issues/203
* 將 /etc/openvpn/setup/openvpn.conf 複製出來, 改成自己想要的版本, 在掛上去使用
* 處理方式
- docker cp openvpn:/etc/openvpn/setup/openvpn.conf .
- vi openvpn.confExp. 加上 route 172.16.0.0/24 , route 172.16.1.0/24
:
push "route 172.16.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
- vi docker-compose.yml啟用 openvpn: -> volumes: -> ./openvpn.conf:/etc/openvpn/setup/openvpn.conf
services:
openvpn:
:
:
volumes:
- ./easyrsa_master:/etc/openvpn/easyrsa
- ./ccd_master:/etc/openvpn/ccd
- ./Dockovpn:/tmp
- ./openvpn.conf:/etc/openvpn/setup/openvpn.conf
:
- 重新啟動 docker compose 讓設定生效docker compose up -d
- 讓所有 VPN Client 斷線重新連入
==== 2. 想修改 Openvpn 為 UDP 模式 =====
* 目前版本 [[https://github.com/flant/ovpn-admin/blob/master/setup/configure.sh|configure.sh]] 內是直接寫 Listen TCP , 除非比照 openvpn.conf 方式自己修改後掛上去處理
:
openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0 --server ${OVPN_SRV_NET} ${OVPN_SRV_MASK}
===== 參考網址 =====
* https://github.com/flant/ovpn-admin
* https://github.com/flant/ovpn-admin/issues/212
{{tag>openvpn}}