如果在centos下已编译安装过libgcrypt,先去到源码包make uninstall,下面使用的软件对版本要求比较严格,不是安装出错就是安装后不能使用。用到的安装包已经上传到百度网盘http://pan.baidu.com/s/1i3suZOD1、安装 libgpg-error-1.9
[root@Zabbix-Server src]# tar -zxvf libgpg-error-1.9.tar.gz[root@Zabbix-Server src]# cd libgpg-error-1.9[root@Zabbix-Server libgpg-error-1.9]# ./configure[root@Zabbix-Server libgpg-error-1.9]# make && make install
2、安装libgcrypt-1.4.3
[root@Zabbix-Server src]# tar -zxvf libgcrypt-1.4.3.tar.gz[root@Zabbix-Server libgcrypt-1.4.3]# cd libgcrypt-1.4.3[root@Zabbix-Server libgcrypt-1.4.3]# ./configure[root@Zabbix-Server libgcrypt-1.4.3]# make && make install
3、安装radiusplugin_v2.1,并将编译生成的radiusplugin.so、radiusplugin.cnf 拷贝到openvpn安装目录
[root@Zabbix-Server src]# tar -zxvf radiusplugin_v2.1.tar.gz[root@Zabbix-Server libgcrypt-1.4.3]# cd radiusplugin[root@Zabbix-Server libgcrypt-1.4.3]# make[root@Zabbix-Server radiusplugin]# cp radiusplugin.so /usr/local/openvpn/[root@Zabbix-Server radiusplugin]# cp radiusplugin.cnf /usr/local/openvpn/
4、配置radiusplugin.cnf需要注意的配置项OpenVPNConfig和server的sharedsecret
[root@Zabbix-Server radiusplugin]# cd /usr/local/openvpn/[root@Zabbix-Server openvpn]# grep -Ev "^#|^$" radiusplugin.cnfNAS-Identifier=OpenVpnService-Type=5Framed-Protocol=1NAS-Port-Type=5NAS-IP-Address=127.0.0.1OpenVPNConfig=/usr/local/openvpn/etc/server.confsubnet=255.255.255.0overwriteccfiles=trueserver{ # The UDP port for radius accounting. acctport=1813 # The UDP port for radius authentication. authport=1812 # The name or ip address of the radius server. name=127.0.0.1 # How many times should the plugin send the if there is no response? retry=1 # How long should the plugin wait for a response? wait=1 # The shared secret. sharedsecret=testing123}
5、OpenVPN服务端配置server.conf需要注意的配置项tls-auth、client-config-dir、plugin
[root@Zabbix-Server openvpn]# grep -Ev "^#|^$" etc/server.confport 1194proto tcpdev tunca /usr/local/openvpn/keys/ca.crtcert /usr/local/openvpn/keys/server.crtkey /usr/local/openvpn/keys/server.keydh /usr/local/openvpn/keys/dh1024.pemtls-auth /usr/local/openvpn/keys/ta.key 0client-config-dir /etc/raddb/clients.confserver 10.0.8.0 255.255.255.0push "dhcp-option DNS 202.96.209.5"push "route 10.10.10.0 255.255.255.0"client-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunclient-cert-not-requiredusername-as-common-nameplugin /usr/local/openvpn/radiusplugin.so /usr/local/openvpn/radiusplugin.cnflog /var/log/openvpn.logstatus /var/log/openvpn-status.logverb 5
其中引用的ta.key文件用来防止遭到DDoS攻击,使用openvpn命令生成。
[root@Zabbix-Server sbin]# ./openvpn --genkey --secret ta.key
6、OpenVPN客户端配置将服务端的文件ta.key、ca.crt拷贝一份到客户端的C:\Program Files\OpenVPN\config文件夹下其中的配置文件client.ovpn如下:
clientdev tunproto tcpremote 192.168.5.168 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crttls-auth ta.key 1ns-cert-type servercomp-lzoverb 3route-method exeroute-delay 2auth-user-pass
重启OpenVPN 服务端后客户端就可以用“用户名/密码”的形式登录VPN了,如果要添加新的用户只需要在radius数据库的radcheck表插入新的记录即可,很是方便快捷。文章出处:http://www.xiaomastack.com/2014/12/04/openvpnradius/
人之所以能,是相信能。
