迁移VPS L2TP VPN至Docker容器 —— Docker初上手

趁着学习IBM Cloud Private课程的机会,深入学习了一下Docker的架构和应用方式。感觉这玩意儿真是好啊,应用间隔离加上开源社区贡献各种images,完全不需要重复造轮子,要用的服务直接pull就可以了。于是打算demo一下,把VPS上的L2TP VPN服务迁移到Docker上。

现有VPS上的L2TP IPSec VPN是用xl2tpd和openswan搭建起来的,整体稳定,但经常出一些莫名其妙的连接问题,也许和伟大的墙有关。我也不能隔三岔五换IP,就当个佛系用户了。

首先要删除VPS 环境中的VPN相关包

#yum remove xl2tpd openswan

操作完成后查看udp端口500 和 4500未被占用即可

#ss -annp

接下来安装Docker。

参考官网,在vps上安装CE版本

https://docs.docker.com/install/linux/docker-ce/centos/

#yum install -y yum-utils device-mapper-persistent-data lvm2

#yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo

#yum install docker-ce

#systemctl start docker

Docker启动后,pull VPN服务。去https://hub.docker.com搜索images,发现排名第一的L2TP image是fcojean/l2tp-ipsec-vpn-server,就锁定它了。

#docker pull fcojean/l2tp-ipsec-vpn-server

按照格式要求输入参数,保存成配置文件。

#vim vpn.env

VPN_IPSEC_PSK=输入私钥
VPN_USER_CREDENTIAL_LIST=[{“login”:”用户1″,”password”:”密码1″},{“login”:”用户2″,”password”:”密码2″}]
VPN_NETWORK_INTERFACE=网卡名

提前检查IPSEC Kernel mod是否开启

# modprobe af_key

然后开启vpn服务

docker run \
–name l2tp-ipsec-vpn-server \
–env-file ./vpn.env \
-p 500:500/udp \
-p 4500:4500/udp \
-v /lib/modules:/lib/modules:ro \
-d –privileged \
fcojean/l2tp-ipsec-vpn-server

执行成功后,docker返回container编号

aa605459103f25c8bd29734e27be267da371c219f1e244fdb24c90c2a9ba7e9e

[root@albertknight ~]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aa605459103f fcojean/l2tp-ipsec-vpn-server “/run.sh” 7 seconds ago Up 7 seconds 0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp l2tp-ipsec-vpn-server

检查vpn login记录

#docker logs l2tp-ipsec-vpn-server

Trying to auto discover IPs of this server…

================================================

IPsec VPN server is now ready for use!

Connect to your new VPN with these details:

DNS: 8.8.8.8
Server IP: x.x.x.x
IPsec PSK: balabalabala
Users credentials :

Login : test1 Password : test1
Login : test2 Password : test2

Write these down. You’ll need them to connect!

Setup VPN Clients: https://git.io/vpnclients

================================================

Redirecting to: /etc/init.d/ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database

.
xl2tpd[1]: setsockopt recvref[30]: Protocol not available
xl2tpd[1]: This binary does not support kernel L2TP.
xl2tpd[1]: xl2tpd version xl2tpd-1.3.6 started on aa605459103f PID:1
xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1]: Connection established to 172.17.0.1, 50124. Local: 5584, Remote: 6 (ref=0/0). LNS session is ‘default’
xl2tpd[1]: start_pppd: I’m running:
xl2tpd[1]: “/usr/sbin/pppd”
xl2tpd[1]: “passive”
xl2tpd[1]: “nodetach”
xl2tpd[1]: “192.168.42.1:192.168.42.10”
xl2tpd[1]: “refuse-pap”
xl2tpd[1]: “auth”
xl2tpd[1]: “require-chap”
xl2tpd[1]: “name”
xl2tpd[1]: “l2tpd”
xl2tpd[1]: “file”
xl2tpd[1]: “/etc/ppp/options.xl2tpd”
xl2tpd[1]: “/dev/pts/0”
xl2tpd[1]: Call established with 172.17.0.1, Local: 63456, Remote: 25724, Serial: 1
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=768, le=3
xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, serial 1 ()
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 727
xl2tpd[1]: result_code_avp: result code endianness fix for buggy Apple client. network=256, le=1
xl2tpd[1]: control_finish: Connection closed to 172.17.0.1, port 50124 (), Local: 5584, Remote: 6

尝试手机连接,迅速成功,收工!

提取安装IBM版 AT&T Network Client

公司的电脑上有各种各样的限制,最万恶的莫属PGP全盘加密和ISAM了:前者极大降低了I/O速度,后者强制定期扫描系统进行监控。我更愿意在自己的本本上做一些常规的事情,不过也希望偶尔能连接到公司内网应急——这样应该是不会被扫描、警告的。

运行界面
AT&T Network Client IBM版 运行界面

继续阅读“提取安装IBM版 AT&T Network Client”