基于用户名密码验证的Openvpn搭建
前言:公司有台OpenVpn服务器,当然不是我搭建的,我来时就有了。为了以后的管理,为了知识的积累,我觉得自己搭建一次。通过从网上找的资料,香港空间,美国服务器,还有我自己的重复性试验,最后终于成功。发个博客是为自己以后看,也是为想要搭建openvpn的同学们提供一点有用的信息。
操作系统:CentOS 5.5
注意:我一开始用的是CentOS 6.3,用上述软件包版本安装,总在进行验证的时候无法通过,为此我换了CentOS 5.5。
一:准备环境
2.yum安装系统盘自带软件包
yum -y install mysql mysql-devel openssl openssl-devel pam pam-devel
二:配置过程
[root@vpn ~]# useradd vpn
[root@vpn ~]# passwd vpn
Changing password for user vpn.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
mysql> create database vpn;
mysql> grant all on vpn.* to vpn@localhost identified by ‘vpn123’;
mysql> flush privileges;
mysql> use vpn;
mysql> create table vpnuser(
-> name char(20) NOT NULL,
-> password char(128) default NULL,
-> active int(10) NOT NULL DEFAULT 1,
-> PRIMARY KEY(name)
-> );
mysql> insert into vpnuser(name,password) values(‘test’,md5(‘test’));
[root@vpn ~]# tar -zxvf pam_mysql-0.7RC1.tar.gz
[root@vpn ~]# cd pam_mysql-0.7RC1
[root@vpn pam_mysql-0.7RC1]# ./configure –with-openssl && make
[root@vpn pam_mysql-0.7RC1]# cp .libs/pam_mysql.so /lib/security/
vi /etc/pam.d/openvpn
auth sufficient /lib/security/pam_mysql.so user=vpn passwd=vpn123 host=localhost
db=vpn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0
crypt=3 verbose=1
account required /lib/security/pam_mysql.so user=vpn passwd=vpn123 host=localhost
db=vpn table=vpnuser usercolumn=name passwdcolumn=password where=active=1 sqllog=0
crypt=3 verbose=1
[root@vpn pam_mysql-0.7RC1]# rpm -qa|grep sasl
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
cyrus-sasl-2.1.22-5.el5_4.3 ##有这个说明可以了
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
启动saslauthd
/etc/rc.d/init.d/saslauthd start
加入/etc/rc.local
[root@vpn pam_mysql-0.7RC1]# /usr/sbin/testsaslauthd -u test -p test -s openvpn
0: OK "Success."
[root@vpn ~]# tar -zxvf lzo-2.03.tar.gz
[root@vpn ~]# cd lzo-2.03
[root@vpn lzo-2.03]# ./configure && make && make install
[root@vpn ~]# tar -zxvf openvpn-2.0.9.tar.gz
[root@vpn ~]# cd openvpn-2.0.9
[root@vpn openvpn-2.0.9]# ./configure –prefix=/usr/local/openvpn && make && make
install
创建必要目录:
mkdir /usr/local/openvpn/{etc,html,log}
mkdir /usr/local/openvpn/html/ccd
执行[root@vpn openvpn-2.0.9]#modprobe tun
加入/etc/rc.local
[root@vpn easy-rsa]# pwd
/root/openvpn-2.0.9/easy-rsa
[root@vpn easy-rsa]# vi vars
修改一下内容:
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=BJ
# 你所在的城市
export KEY_CITY=BEIJING
# 你所在的组织
export KEY_ORG="OpenVPN ORG"
# 你的邮件地址
export KEY_EMAIL="test@163.com"
#使修改的环境变量生效
[root@vpn easy-rsa]# source ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /root/openvpn-
2.0.9/easy-rsa/keys
做修改请一路回车#
Generating a 1024 bit RSA private key
…..++++++
.++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address [test@163.com]:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……….+………………………..+………………….
+……………………………………………………………………
+…………………
+……………………………………………………..+..
+…………………………………+……….+………
+……………………………………………………………………
+……………+…
+………………………………………………………………………..
…………..++*++*++*
Generating a 1024 bit RSA private key
……..++++++
…………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:vpn
Email Address [test@163.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’BJ’
localityName :PRINTABLE:’BEIJING’
organizationName :PRINTABLE:’OpenVPN-TEST’
commonName :PRINTABLE:’vpn’
emailAddress :IA5STRING:’test@163.com’
Certificate is to be certified until Feb 17 23:30:19 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@vpn easy-rsa]# /usr/local/openvpn/sbin/openvpn –genkey –secret keys/ta.key
[root@vpn keys]# pwd
/root/openvpn-2.0.9/easy-rsa/keys
[root@vpn keys]# cp ca.* server.* dh1024.pem ta.key /usr/local/openvpn/etc/
[root@vpn auth-pam]# pwd
/root/openvpn-2.0.9/plugin/auth-pam
[root@vpn auth-pam]# make
[root@vpn auth-pam]# cp openvpn-auth-pam.so /usr/local/openvpn/etc/
[root@vpn easy-rsa]# cp /root/openvpn-2.0.9/sample-config-files/server.conf /usr/local/openvpn/etc/
[root@vpn easy-rsa]# vi /usr/local/openvpn/etc/server.conf
修改内容如下:
ca /usr/local/openvpn/etc/ca.crt
cert /usr/local/openvpn/etc/server.crt
key /usr/local/openvpn/etc/server.key
dh /usr/local/openvpn/etc/dh1024.pem
client-config-dir /usr/local/openvpn/html/ccd
tls-auth /usr/local/openvpn/etc/ta.key 0
max-clients 100
status /usr/local/openvpn/log/openvpn-status.log
log /usr/local/openvpn/log/openvpn.log
log-append /usr/local/openvpn/log/openvpn-append.log
plugin /usr/local/openvpn/etc/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
立即启动openenvpn
/usr/local/openvpn/sbin/openvpn –daemon –config /usr/local/openvpn/etc/server.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
添加防火墙规则:
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1194 -j ACCEPT
3.客户端安装
修改客户端配置文件:
在服务器上运行:cp /root/openvpn-2.0.9/sample-config-files/client.conf /root/client.ovpn
proto tcp
;proto udp
remote 192.168.119.132 1194 ##服务器地址或者域名
remote-random
ca ca.crt
;cert client.crt
;key client.key
tls-auth ta.key 1
添加一下内容:
auth-user-pass
ns-cert-type server
route-method exe
route-delay 2
保存退出
右键客户端图标:
connect
输入用户名和密码,网站空间,点击OK
显示如下内容
ok完成。当然这只是初步完成,具体的需求和防火墙设置还需慢慢深入研究。
本文出自 “xhllt” 博客,请务必保留此出处
伟人之所以伟大,是因为他与别人共处逆境时,