OpenVPN使用user/passwd完成验证登录1,为什么要使用user/passwd?比常规openvpn管理方便,删除用户只需要在pwd.file文件中删除用户或者修改密码即可,告别繁琐的操作,具体配置如下:一,首先openvpn配置完成,可参考前面几篇文章点此即可二:修改openvpn服务主配置文件,添加如下内容;如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录!
tail -3 /usr/local/openvpn/etc/server.conf
auth-user-pass-verify /usr/local/openvpn/etc/checkpsw.sh via-envclient-cert-not-required username-as-common-name如:
[root@node scripts]# cat /etc/openvpn/server.conf
local 10.0.0.20
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 172.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
client-config-dir ccd/DEFAULT
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
auth-user-pass-verify /etc/openvpn/scripts/checkpwd.sh via-env
username-as-common-name
script-security 3
client-to-client
创建scripts目录并且将脚本放进去,如下:
[root@node scripts]# cat /etc/openvpn/scripts/checkpwd.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
PASSFILE="/etc/openvpn/scripts/pwd-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file "${PASSFILE}" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username="${username}", password="${password}"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username="${username}"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username="${username}", password="${password}"." >> ${LOG_FILE}
exit 1
[root@node scripts]#
创建密码文件
[root@node scripts]# cat /etc/openvpn/scripts/pwd-file
linuxeacom 123
[root@node scripts]# ll
total 8
-rwxr-xr-x 1 root root 969 Mar 19 02:02 checkpwd.sh
-r-------- 1 nobody nobody 15 Mar 19 02:08 pwd-file
[root@node scripts]#
修改权限
[root@node tools]# chmod 400 pwd-file
[root@node tools]# chown nobody.nobody pwd-file
[root@node tools]# chmod +x checkpwd.sh
随机生成密码给linuxeacom用户
[root@node tools]# yum install expect
[root@node tools]# mkpasswd -l 15
^ukhvlhv30bCtiY
[root@node tools]# vim pwd-file
linuxeacom ^ukhvlhv30bCtiY
windows客户端配置文件修改linuxecom.ovpn,目录为:C:Program Files (x86)OpenVPNconfiglinuxeacom而后在客户端中加上auth-user-pass ,并且创建一个文件叫做pwd.txt,将用户和密码保存在里面,在auth-user-pass 后面写上即可(需要放在同一目录下)
client
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 10.0.0.20 1194
;remote 117.74.136.195 9504
;remote 180.167.10.194 9000
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert linuxeacom.crt
key linuxeacom.key
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
auth-user-pass pwd.txt #存放密码
tls-client
;ns-cert-type server
route-method exe
route-delay 2
登录即可查看日志:
[root@node openvpn]# tail -3 openvpn.log
Sat Mar 19 02:13:28 2016 linuxeacom/10.0.0.1:51664 MULTI: primary virtual IP for linuxeacom/10.0.0.1:51664: 172.8.0.6
Sat Mar 19 02:13:31 2016 linuxeacom/10.0.0.1:51664 PUSH: Received control message: 'PUSH_REQUEST'
Sat Mar 19 02:13:31 2016 linuxeacom/10.0.0.1:51664 SENT CONTROL [linuxeacom]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 172.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.8.0.6 172.8.0.5' (status=1)
[root@node openvpn]#
status日志:
[root@node openvpn]# tail openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sat Mar 19 02:15:11 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
linuxeacom,10.0.0.1:51664,4456,6008,Sat Mar 19 02:13:28 2016
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
172.8.0.6,linuxeacom,10.0.0.1:51664,Sat Mar 19 02:13:28 2016
GLOBAL STATS
Max bcast/mcast queue length,0
END
[root@node openvpn]#
本章文件借鉴于:http://ylw6006.blog.51cto.com/470441/1009004/,尽管此文章神坑居多,不过本章已经填坑完毕!
