Hero Image
Gluetun:讓Docker容器走VPN連線,沒網路就斷線,使用教學

Gluetun:讓 Docker 容器走 VPN 連線,沒網路就斷線,使用教學 Gluetun OpenVPN services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: # 按照VPN供應商的OpenVPN設定檔填寫 - VPN_SERVICE_PROVIDER=protonvpn - VPN_TYPE=openvpn - OPENVPN_USER= # OpenVPN帳號 - OPENVPN_PASSWORD= # OpenVPN密碼 - SERVER_COUNTRIES=United Kingdom # 指定伺服器所在國家,以逗號分隔 networks: # (選擇性) 固定Gluetun容器的IP network: ipv4_address: 172.27.0.5 networks: # (選擇性) 固定Gluetun容器的IP network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 WireGuard services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: - VPN_SERVICE_PROVIDER=protonvpn # 按照VPN供應商的WireGuard設定檔填寫 - VPN_TYPE=wireguard - WIREGUARD_PRESHARED_KEY= # 預共享密鑰 - WIREGUARD_PRIVATE_KEY= # 私鑰 - WIREGUARD_ADDRESSES= # 填IPV4與IPV6位址,以逗號分隔 - SERVER_COUNTRIES=United Kingdom # 指定伺服器所在國家,以逗號分隔 networks: # (選擇性) 固定Gluetun容器的IP network: ipv4_address: 172.27.0.5 networks: # (選擇性) 固定Gluetun容器的IP network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 讓容器走 Gluetun 的 VPN 連線 如果容器服務跟 Gluetun 寫在同一個 docker-compose:加入網路模式 network_mode: “service:gluetun” 如果該容器跟 Gluetun 不是寫在同一個 docker-compose:加入 network_mode: “container:gluetun” 開啟 Gluetun 的 docker-compose 檔案,把 service 用到的通訊埠(ex:8080)加回來 依序啟動 Gluetun 和 走 Gluetun 的 VPN 連線的服務 容器公共 IP 應當跟您選擇的 VPN 伺服器一致

Friday, August 1, 2025 Read
Hero Image
openvpn部署之部署基於AD域認證

openvpn 部署之部署基於 AD 域認證 OpenVPN + PAM + SSSD + Active Directory https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/ https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8 https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5 # 安裝openvpn yum install openvpn -y yum -y install openssl openssl-devel -y yum -y install lzo lzo-devel -y yum install -y libgcrypt libgpg-error libgcrypt-devel # 安裝openvpn認證插件 yum install openvpn-auth-ldap -y # 安裝easy-rsa # 由於openvpn2.3之後,在openvpn裏面剔除了easy-rsa文件,所以需要單獨安裝 yum install easy-rsa cp -rf /usr/share/easy-rsa/2.0 /etc/opevpn/ # 生成openvpn的key及證書 # 修改 `/opt/openvpn/etc/easy-rsa/2.0/vars` 參數 export KEY_COUNTRY="CN" # 國家 export KEY_PROVINCE="ZJ" # 省份 export KEY_CITY="NingBo" # 城市 export KEY_ORG="TEST-VPN" # 組織 exportKEY_EMAIL="81367070@qq.com" # 郵件 export KEY_OU="baidu" # 單位 source vars ./clean-all ./build-ca ./build-dh ./build-key-server server ./build-key client1 # 編輯openvpn服務端配置文件:`/etc/openvpn/server.conf` port 1194 proto udp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 //客戶端分配的ip地址 push "route 192.168.1.0 255.255.255.0" //推送客戶端的路由 push "redirect-gateway" //修改客戶端的網關,使其直接走vpn流量 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" client-cert-not-required username-as-common-name log /var/log/openvpn.log # 修改openvpn-ldap-auth的配置文件 `/etc/openvpn/auth/ldap.conf` # /etc/openvpn/auth/ldap.conf <LDAP> # LDAP server URL # 更改爲 AD 服務器的 IP URL ldap://172.16.76.238:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com # 更改爲域管理的 DN, 可以通過 ldapsearch 進行查詢 # -h 的 ip 替換爲服務器 ip,-D 換爲管理員的 dn,-b 爲基礎的查詢 dn,* 爲所有 # ldapsearch -LLL -x -h 172.16.76.238 -D "administrator@xx.com" -W -b "dc=xx,dc=com" "*" BindDN "cn=administrator,cn=Users,dc=xx,dc=com" # Bind Password # Password SecretPassword # 域管理員的密碼 Password passwd # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File # TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory # TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required # TLSCertFile /usr/local/etc/ssl/client-cert.pem # TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN # 查詢認證的基礎 dn BaseDN "dc=boqii-inc,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" # 其中 sAMAccountName=%u 的意思是把 sAMAccountName 的字段取值爲用戶名, # 後面 "memberof=CN=myvpn,DC=xx,DC=com" 指向要認證的 vpn 用戶組, # 這樣任何用戶使用 vpn,只要加入這個組就好了 SearchFilter "(&(sAMAccountName=%u)(memberof=CN=myvpn,DC=boqii-inc,DC=com))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) # PFTable ips_vpn_users <Group> # BaseDN "ou=Groups,dc=example,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" # MemberAttribute uniqueMember # Add group members to a PF table (disabled) # PFTable ips_vpn_eng BaseDN "ou=vpn,dc=boqii-inc,dc=com" SearchFilter "(cn=openvpn)" MemberAttribute "member" </Group> </Authorization> 拷貝/etc/openvpn/key目錄下的ca.crt證書,以備客戶端使用。

Thursday, September 17, 2020 Read