Docker搭建FRP+OPENVPN+Prometheus+Grafana 实现内网穿透以及流量监控
文章目录
一、搭建Docker基础环境
1. 安装依赖环境
[root@localhost ~]# yum -y install yum-utils device-mapper-persistent-datalvm2
2. 设置Docker镜像源,使用国内阿里源
[root@localhost ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum makecache fast
3. 安装Docker,启动Docker服务,设置开机自动启动
[root@localhost ~]# yum install -y docker-ce docker-ce-cli containerd.io
[root@localhost ~]# systemctl enable --now docker
[root@localhost ~]# docker version #查看Docker版本
测试
[root@localhost ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:0e11c388b664df8a27a901dce21eb89f11d8292f7fca1b3e3c4321bf7897bffe
Status: Downloaded newer image for hello-world:latest
Hello from Docker! <--- 出现以下代码,说明运行成功 --->
4. 配置阿里云镜像加速,编辑daemon.json,如无则创建daemon.json
[root@localhost ~]# mkdir -p /etc/docker
[root@localhost ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://78q111y9.mirror.aliyuncs.com"]
}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
二、配置FRP,实现端口映射
2.1 使用Docker部署FRP
从0.52.0版本起弃用 INI ,改用 TOML、YAML、JSON 作为配置文件格式。
Frps服务端(拥有公网IP)
编写:frps.toml
root@frps:~# mkdir -p /etc/frp/
root@frps:~# vim /etc/frp/frps.toml
#frps.toml
bindPort = 6000
#域名
subdomain_host = xxx.xxx.cn
auth.method = "token"
auth.token = "abcd123456" ##frps与frpc需要一致
webServer.addr = "0.0.0.0"
webServer.port = 6001
webServer.user = "admin"
webServer.password = "000000"
webServer.pprofEnable = false
log.to = "/etc/frp/log/frps.log"
log.level = "info"
log.maxDays = 7
log.disablePrintColor = false
#监控
enable_prometheus = true #是否提供 Prometheus 监控接口,需要启动Dashboard才会生效
通过浏览器访问http://<服务器ip>:6001/metrics来查看监控收集的数据
Docker开始构建 **/root/frps/frps.ini存放的frps.ini**的路径
root@frps:~# docker run --restart=always --network host -d -v /etc/frp/frps.toml:/etc/frp/frps.toml --name frps ghcr.io/snowdreamtech/frps
放开防火墙开放端口: **6000,6001 **,本地映射到公网的端口
!云服务器,需在服务商管理控制台开放安全组 !
[root@frps ~]# firewall-cmd --zone=public --add-port=6000/udp --permanent
[root@frps ~]# firewall-cmd --zone=public --add-port=6001/udp --permanent
[root@frps ~]# systemctl restart firewalld && systemctl status firewalld
tip:端口的基本设置
1、开放端口
firewall-cmd --zone=public --add-port=<端口号>/tcp --permanent
2、重新载入
firewall-cmd --reload
3、查看对应端口
firewall-cmd --zone=public --query-port=<端口号>/tcp
4、删除端口
firewall-cmd --zone=public --remove-port=<端口号>/tcp --permanent
Frpc客户端(内网IP)
编写:frpc.toml
root@controller:~# mkdir -p /etc/frp/
root@controller:~# vim /etc/frp/frpc.toml
#frpc.toml
serverAddr = "{frps的公网ip}"
serverPort = 6000
auth.method = "token"
auth.token = "abcd123456" ##frps与frpc需要一致
webServer.addr = "0.0.0.0"
webServer.port = 6001
webServer.user = "admin"
webServer.password = "000000"
webServer.pprofEnable = false
log.to = "/etc/frp/log/frpc.log"
log.level = "info"
log.maxDays = 7
log.disablePrintColor = false
[[proxies]]
name = "openvpn"
type = "tcp"
localIP = "192.162.3.10"
localPort = 1194
remotePort = 21194
[root@frpc ~]# docker run --restart=always --network host -d -v /etc/frp/frpc.toml:/etc/frp/frpc.toml --name frpc ghcr.io/snowdreamtech/frpc
放开防火墙开放端口: **21194 **,要本地映射出去的端口
[root@frpc ~]# firewall-cmd --zone=public --add-port=21194/udp --permanent
[root@frpc ~]# systemctl restart firewalld && systemctl status firewalld
访问Frps后台面板, Prometheus后台面板
Frps后台面板
http://<服务器ip>:6001/
查看监控收集的数据
http://<服务器ip>:6001/metrics
tip:如无法访问,则检查防火墙,确保开放了对应端口
三、搭建OPENVPN实现内网穿透
3.1 脚本搭建openVPN
内网服务器操作,这里直接使用一键搭建脚本
脚本地址:https://github.com/angristan/openvpn-install
[root@localhost ~]# curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
[root@localhost ~]# chmod +x openvpn-install.sh
[root@localhost ~]# sudo ./openvpn-install.sh
修改openvpn服务端配置文件 server.conf
[root@localhost ~]# vim /etc/openvpn/server.conf
management 0.0.0.0 5555
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
push "dhcp-option DNS 192.168.66.253" # 推送内部dns服务器地址
;push "dhcp-option DOMAIN putianhui-local.com" # 推送内部dns服务器后设置哪些内部域名走vpn的dns去解析
push "route 192.168.66.0 255.255.255.0" # 内网段地址
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log # 状态记录日志
log-append openvpn.log # 运行日志
verb 3
crl-verify crl.pem
启动 OpenVPN
[root@localhost ~]# systemctl enable --now [email protected] # 开机自启
[root@localhost ~]# systemctl status openvpn.service # 查看启动状态
在安装完成后,在/root/下会生成一个以刚刚命名好的**.ovpn**文件。
修改刚刚生成的 /root/test.ovpn 文件
port 1194 改成 21194
添加:
route-nopull
route 192.1.3.0 255.255.255.0 vpn_gateway #指定代理的网段
四、搭建Prometheus+Grafana监控平台
4.1 Docker部署Prometheus
1)安装Prometheus
[root@Docker ~]# docker pull prom/prometheus
[root@Docker ~]# docker run -itd --name=prometheus --restart=always -p 9090:9090 prom/prometheus
+++
通过浏览器访问http://<服务器ip>:9090
2)配置 Prometheus 监控Node节点, 修改Prometheus主配置文件
[root@Docker ~]# docker cp prometheus:/etc/prometheus/prometheus.yml $PWD
[root@Docker ~]# vim prometheus.yml
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
static_configs:
- targets: ['localhost:9090']
labels:
instance: prometheus
## 在Prometheus配置文件按以下内容修改:
## 如需要认证 ##
- job_name: 'frp'
static_configs:
- targets: ['your_backend_address'] #被监控端的IP地址和端口号(有多个被监控端可用 逗号 隔开)
basic_auth:
username: 'your_username'
password: 'your_password'
[root@Docker ~]# docker cp $PWD/prometheus.yml prometheus:/etc/prometheus/prometheus.yml
3)重启Prometheus容器
[root@Docker ~]# docker restart prometheus
4.2 Docker部署Grafana
准备Grafana配置文件
#启动容器
[root@Docker ~]# docker run --restart=always --name grafana -d -p 3000:3000 grafana/grafana:10.0.1
#将容器中默认的配置文件拷贝到宿主机上
[root@Docker ~]# docker cp grafana:/etc/grafana/grafana.ini /root/grafana.ini
#修改配置文件(需要的话)
[root@Docker ~]# vim /root/grafana.ini
#配置为中文,将default_language = en-US改为 zh-Hans即可.
[server]
default_language = zh-Hans
[root@Docker ~]# docker cp $PWD/grafana.ini grafana:/etc/grafana/grafana.ini
[root@Docker ~]# docker restart grafana
tip:Docker 修改文件
docker cp <容器id>:docker<容器中配置文件路径> <主机路径>
docker cp grafana:/etc/grafana/grafana.ini /root/grafana.ini
//改完之后
docker cp 主机文件路径 <容器id>:docker容器中配置文件路径
docker cp $PWD/grafana.ini grafana:/etc/grafana/grafana.ini
通过浏览器访问http://<服务器ip>:3000
admin/admin
4.3 Promethues对接openVPN
修改openvpn的server.conf添加状态日志
[root@neutron-proxy ~]# find / -name server.conf
/etc/openvpn/server.conf
[root@neutron-proxy ~]# vim /etc/openvpn/server.conf
status openvpn-status.log
status /var/log/openvpn/status.log
查看生成的状态日志
[root@neutron-proxy ~]# cat /var/log/openvpn/status.log
TITLE,OpenVPN 2.4.12 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
TIME,Mon Nov 13 22:40:31 2023,1699666431
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
GLOBAL_STATS,Max bcast/mcast queue length,0
END
4.4 Docker部署openvpn_exporter
[root@neutron-proxy ~]# docker run -d --restart=always --name openvpn_exporter -p 9176:9176 -v /var/log/openvpn/status.log:/etc/openvpn_exporter/server.status kumina/openvpn-exporter -openvpn.status_paths /etc/openvpn_exporter/server.status
通过浏览器访问http://<服务器ip>:9176/metrics
修改promethues.yml配置文件,Prometheus 添加openvpn的监控Job
[root@Docker ~]# vim prometheus.yml
在scrape_configs:加入以下内容
scrape_configs:
- job_name: "openvpn_exporter"
static_configs:
- targets: ['<your_backend_address>:9176']
[root@Docker ~]# docker cp $PWD/prometheus.yml prometheus:/etc/prometheus/prometheus.yml
[root@Docker ~]# docker restart prometheus
Grafana导入仪表盘
ID: 10562
