Outline VPN 使用

Outline 官网

Outline 是由附属于 Google 的 Jigsaw 开发的开源的 VPN 软件。它的设计目标是为了实现 VPN 的简单部署和管理以及安全。Outline 提供了强加密、用户管理工具、并支持多平台,包括 Windows, macOS, Linux, iOS, 和 Android。

Outline 主要由 2 部分组成:

  • Outline Manager : 用来部署 VPN 服务器,以及管理用户、限速等
  • Outline Client : 连接 VPN 的客户端,支持多平台

本文示例基本环境信息

  • Ubuntu 22.04.4 LTS (Jammy Jellyfish)
  • Outline Manager Version 1.15.2

Outline 环境 部署

Outline Manager 部署

Outline Manager 部署非常的简单,只需要下载可执行文件,添加可执行权限并启动即可

$ wget https://s3.amazonaws.com/outline-releases/manager/linux/stable/Outline-Manager.AppImage

$ chmod +x Outline-Manager.AppImage

$ ./Outline-Manager.AppImage
Outline Manager is starting
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[42740:0925/174650.529715:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization
Launching web app from outline://web_app/index.html?version=1.15.2&sentryDsn=https%3A%2F%2F9df8c810bf1b482d979da996e3e63c40%40o74047.ingest.sentry.io%2F215496
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[42774:0925/174651.006194:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[42800:0925/174651.310808:ERROR:gpu_memory_buffer_support_x11.cc(44)] dri3 extension not supported.
Checking for update
Generated new staging user ID: c5db7469-3a5b-5365-a374-7e29a6e0c71a
Update for version 1.15.2 is not available (latest version: 1.15.2, downgrade is disallowed).

  • 为安全起见,Outline Manager 不支持以 root 用户执行,请以普通用户身份执行

  • Outline Manager 依赖于 fuse,执行命令 sudo apt install fuse 安装

  • Outline VPN Server 依赖于 Docker 和 curl,请提前安装

Outline Manager 运行后会启动 UI

Outline VPN Server 部署

Outline 环境中,VPN Server 负责具体的 VPN 节点实现。要部署 VPN Server,选择合适的服务器环境,比如使用自己的本地服务器则选择 Set up Outline anywhere,然后根据提示在具体的 VPN Server 上部署程序即可

  1. 根据提示,执行以下命令,部署 VPN Server 环境程序

    # sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)"
    > Verifying that Docker is installed .......... OK
    > Verifying that Docker daemon is running ..... OK
    > Setting PUBLIC_HOSTNAME to external IP ...... OK
    > Creating persistent state dir ............... OK
    > Generating secret key ....................... OK
    > Generating TLS certificate .................. OK
    > Generating SHA-256 certificate fingerprint .. OK
    > Writing config .............................. OK
    > Starting Shadowbox .......................... OK
    > Starting Watchtower ......................... OK
    > Removing watchtower container ............... OK
    > Restarting watchtower ....................... OK
    > Waiting for Outline server to be healthy .... OK
    > Creating first user ......................... OK
    > Adding API URL to config .................... OK
    > Checking host firewall ...................... OK

    CONGRATULATIONS! Your Outline server is up and running.

    To manage your Outline server, please copy the following line (including curly
    brackets) into Step 2 of the Outline Manager interface:

    {"apiUrl":"https://66.26.90.25:50472/Q6XjXdbbVbetfAV0TK2cyw","certSha256":"67695819036A0FA4CE3C9E4AFAA0466D3C4BE4D9B04DBF7D8BA820FB379C0E4C"}

    If you have connection problems, it may be that your router or cloud provider
    blocks inbound connections, even though your machine seems to allow them.

    Make sure to open the following ports on your firewall, router or cloud provider:
    - Management port 50472, for TCP
    - Access key port 13279, for TCP and UDP

    根据提示 Management port 50472, for TCPAccess key port 13279, for TCP and UDP,防火墙放通对应的端口

    默认情况下,Management portAccess key port 使用随机端口,要使用自定义的固定端口,使用以下命令配置 VPN Server 环境

    bash install_server.sh --api-port 65530 --keys-port 65531

    如果在同一台主机上重复执行 install_server.sh,请删除持久化数据目录,默认为 /opt/outline/ ,否则可能出现重复部署后某些配置依然是旧的。

  2. 下载客户端程序,COPY ACCESS KEY 到客户端测试连接。

常见错误

AppImages require FUSE to run

Outline Manager 依赖于 fuse,执行命令 sudo apt install fuse 安装即可

$ ./Outline-Manager.AppImage 
dlopen(): error loading libfuse.so.2

AppImages require FUSE to run.
You might still be able to extract the contents of this AppImage
if you run it with the --appimage-extract option.
See https://github.com/AppImage/AppImageKit/wiki/FUSE
for more information

install_server.sh 解析

Outline VPN Server 使用脚本 install_server.sh 部署。以下内容解析脚本内容

install_server.sh 脚本的主要功能为部署 2 个 Docker 容器:

  • Outline Server : Outline VPN Server 容器(shadowbox),VPN 的具体实现
  • Watchtower : 自动更新 Server 的镜像

install_server.sh 脚本可用格式:

install_server.sh [--hostname <hostname>] [--api-port <port>] [--keys-port <port>]
--hostname The hostname to be used to access the management API and access keys
--api-port The port number for the management API
--keys-port The port number for the access keys

可用的环境变量

在部署过程中,可以修改以下环境变量来覆盖默认值

Variables Info Examples
SB_IMAGE Outline VPN Server Docker Image
默认为 quay.io/outline/shadowbox:stable
CONTAINER_NAME shadowbox 容器的名称,默认为 shadowbox
SHADOWBOX_DIR shadowbox 容器持久化数据目录,默认为 /opt/outline/
ACCESS_CONFIG access config text file 的路径,默认为 /opt/outline/access.txt
里面包含 VPN Server 的 API URL 和鉴权信息
SB_DEFAULT_SERVER_NAME 此 VPN Server 的名称,默认为 Outline Server
此名称可以在 Outline Manager 上更新
WATCHTOWER_REFRESH_SECONDS Watchtower 镜像检测 Shadowbox 镜像更新的频率,默认为 1h

install_server.sh 脚本执行流程

配置并启动 shadowbox

  1. 检测服务器架构,只支持 x86_64

  2. 根据环境变量 CONTAINER_NAMEshadowbox 容器配置容器名称(export CONTAINER_NAME="${CONTAINER_NAME:-shadowbox}"),默认为 shadowbox

  3. 确保 Docker 已经安装并运行,如果未安装,则安装并启动

  4. 根据环境变量 SHADOWBOX_DIR 在宿主(本地)服务器为 Outline VPN Server 创建容器数据持久化目录并配置权限(export SHADOWBOX_DIR="${SHADOWBOX_DIR:-/opt/outline}"),默认为 /opt/outline

  5. 配置 API Port,如果 install_server.sh 中未指定(--api-port),则随即选择一个可用端口,并根据端口信息配置 Access Config File 内容,文件名使用环境变量 ACCESS_CONFIG,默认为 ${SHADOWBOX_DIR}/access.txt}

    log_for_sentry "Setting API port"
    API_PORT="${FLAGS_API_PORT}"
    if (( API_PORT == 0 )); then
    API_PORT=${SB_API_PORT:-$(get_random_port)}
    fi
    readonly API_PORT
    readonly ACCESS_CONFIG="${ACCESS_CONFIG:-${SHADOWBOX_DIR}/access.txt}"


  6. 配置 shadowbox 容器名,使用变量 SB_IMAGE,默认为 quay.io/outline/shadowbox:stable

    readonly SB_IMAGE="${SB_IMAGE:-quay.io/outline/shadowbox:stable}"
  7. 配置 Access Config 使用的主机名,如果 install_server.sh 中未指定(--hostname),则使用节点公网 IP 地址

  8. 创建 VPN Server 状态数据存储持久化目录,并创建相关的证书和 Key,

    # Make a directory for persistent state
    run_step "Creating persistent state dir" create_persisted_state_dir
    run_step "Generating secret key" generate_secret_key
    run_step "Generating TLS certificate" generate_certificate
    run_step "Generating SHA-256 certificate fingerprint" generate_certificate_fingerprint
    run_step "Writing config" write_config
  9. 启动 shadowbox

    install_server.sh 会根据环境变量生成 shadowbox 启动脚本 ${STATE_DIR}/start_container.sh,其中 STATE_DIR=${SHADOWBOX_DIR}/persisted-state,启动脚本(默认为 /opt/outline/persisted-state/start_container.sh)执行以下流程

    1. 停止并删除已有的 shadowbox 容器
    2. 执行 docker 命令 启动容器
      docker run -d --name "shadowbox" \
      --restart always --net host \
      --label 'com.centurylinklabs.watchtower.enable=true' \
      --log-driver local \
      -v "/opt/outline/persisted-state:/opt/outline/persisted-state" \
      -e "SB_STATE_DIR=/opt/outline/persisted-state" \
      -e "SB_API_PORT=5595" \
      -e "SB_API_PREFIX=TV1dU51xfk57BZZpfJvOZA" \
      -e "SB_CERTIFICATE_FILE=/opt/outline/persisted-state/shadowbox-selfsigned.crt" \
      -e "SB_PRIVATE_KEY_FILE=/opt/outline/persisted-state/shadowbox-selfsigned.key" \
      -e "SB_METRICS_URL=" \
      "quay.io/outline/shadowbox:stable"
  10. 启动 watchtower。主要用来监控 Shadowbox 镜像的更新,默认检测频率 1H.

  11. 检查防火墙规则,确保能从外网访问 Server。输出相关信息。部署完成。