Centos X64 6.8下安装Openvpn,三种认证方式
环境说明:
主机名称:openvpn01
安装版本为openvpn-2.3.11-1.el6.x86_64
相关资源下载连接如下:
链接:http://pan.baidu.com/s/1c2zDX5Y 密码:mooz
链接:http://pan.baidu.com/s/1bAXh6m 密码:vgq8
链接:http://pan.baidu.com/s/1qYkwty8 密码:1n32
前提条件,关闭selinux安全
# vi /etc/selinux/config
把SELINUX=enforcing 改为SELINUX=disabled后存盘退出,重启机器.
1. 安装"EPEL"源
# rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -Uvh epel-release-6-8.noarch.rpm
2. 安装openvpn
# yum install lzo lzo-devel
# rpm -qa | grep lzo
lzo-devel-2.03-3.1.el6_5.1.x86_64
lzo-minilzo-2.03-3.1.el6_5.1.x86_64
lzo-2.03-3.1.el6_5.1.x86_64
# yum -y install openssl openssl-devel
# rpm -qa | grep openssl
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.x86_64
openssl098e-0.9.8e-20.el6.centos.1.x86_64
# yum install openvpn easy-rsa
# rpm -qa | grep openvpn
openvpn-2.3.11-1.el6.x86_64
或者wget http://dl.fedoraproject.org/pub/epel/6/x86_64/openvpn-2.3.11-1.el6.x86_64.rpm
3. easy-rsa配置
# mkdir -p /etc/openvpn/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
4. 创建CA证书和密钥
# vi /etc/openvpn/easy-rsa/vars
# PKCS11 fixes
# export PKCS11_MODULE_PATH="dummy"
# export PKCS11_PIN="dummy"
export KEY_COUNTRY="CN"
export KEY_PROVINCE="CA"
export KEY_CITY="Dongguan"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@33jack.com"
export KEY_OU="33jack"
更改你自己的国家,省份,城市,邮箱等等
[root@openvpn01 ]# cd /etc/openvpn/easy-rsa
[root@openvpn01 easy-rsa]# cp openssl-1.0.0.cnf openssl.cnf
[root@openvpn01 easy-rsa]# source ./vars
NOTE: If you run ./clean-all,I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@openvpn01 easy-rsa]# ./clean-all
创建CA证书和密钥
[root@openvpn01 easy-rsa]# ./build-ca
5. 创建服务端的证书和密钥
# ./build-key-server server
6. 创建客户端的证书和密钥
# ./build-key client
7. 创建 迪菲 霍尔曼密钥交换参数
创建DH参数.此过程时间比较久,等个10分钟就好了
# ./build-dh
# openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
客户端证书秘钥:ca.crt、client.crtclient.keyta.key(编辑openvpn客户端配置文件会用到)
9、更改主机名称,不然启动会报错。
#vi /etc/hosts
127.0.0.1 localhost openvpn01 localhost4.localdomain4
10.直接使用证书认证方式
# vi /etc/openvpn/server.conf
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 210.0.255.250"
push "dhcp-option DNS 218.102.23.228"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
11、启动服务
# mkdir /var/log/openvpn
# service openvpn start
tarting openvpn: /etc/init.d/openvpn: line 162: 328 Segmentation fault
这里可能报错,因为openvpn的启动脚本和发行版稍有差别,如果报错,编辑文件/etc/init.d/openvpn里面注释如下几行:
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#if [ ${NETWORKING} = "no" ]
#then
# echo "Networking isdown"
# exit 0
#fi
客户端配置请参见文章http://www.jb51.cc/article/p-nvottcuw-mt.html
====================================================================================
1、安装并建立数据库
#rpm -qa | grep MysqL
MysqL-5.0.77-4.el5_6.6
mod_auth_MysqL-3.0.0-3.2.el5_3
MysqL-libs-5.1.73-3.el6_5.x86_64
# rpm -e mod_auth_MysqL-3.0.0-3.2.el5_3
# rpm -e MysqL-5.0.77-4.el5_6.6
# yum -y remove MysqL-libs-5.1*
rpm安装MysqL 5.7.4-m14版本,
#rpm -ivhMysqL-server-5.7.4_m14-1.el6.x86_64.rpm
#rpm -ivhMysqL-client-5.7.4_m14-1.el6.x86_64.rpm
#rpm -ivhMysqL-devel-5.7.4_m14-1.el6.x86_64.rpm
#rpm -ivhMysqL-shared-5.7.4_m14-1.el6.x86_64.rpm
#rpm -ivhMysqL-shared-compat-5.7.4_m14-1.el6.x86_64.rpm
#chown -R MysqL:MysqL /var/lib/MysqL
You will find that password in '/root/.MysqL_secret'.
# service MysqL start
#MysqL -uroot -p
登录后,用下面命令设定密码为pk168007
MysqL>set password=password('pk168007');
MysqL>flush privileges;
MysqL>quit
[root@openvpn01 openvpn]# service MysqL restart
[root@openvpn01 openvpn]# chkconfig MysqL on
[root@openvpn01 openvpn]# MysqL -u root -p
运行以下sql命令:
� 创建数据库
MysqL> CREATE DATABASE openvpn;
� 切换数据库
MysqL> USE openvpn;
创建用户,用户名openvpn,密码evanmis(可自行设定)
MysqL>GRANT ALL ON openvpn.* TO 'openvpn'@'localhost' IDENTIFIED BY 'evanmis';
� 创建用户数据表
CREATE TABLE IF NOT EXISTS `user` (
`username` char(32) COLLATE utf8_unicode_ci NOT NULL,
`password` char(128) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `active` int(10) NOT NULL DEFAULT '1',198);"> `creation` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,198);"> `name` varchar(32) COLLATE utf8_unicode_ci NOT NULL,198);"> `email` char(128) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `note` text COLLATE utf8_unicode_ci,198);"> `quota_cycle` int(10) NOT NULL DEFAULT '30',198);"> `quota_bytes` bigint(20) NOT NULL DEFAULT '10737418240',198);"> `enabled` int(10) NOT NULL DEFAULT '1',198);"> PRIMARY KEY (`username`),198);"> KEY `idx_active` (`active`),198);"> KEY `idx_enabled` (`enabled`)
) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
-- 创建日志数据表
CREATE TABLE IF NOT EXISTS `log` (
`username` varchar(32) COLLATE utf8_unicode_ci NOT NULL,198);"> `start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,198);"> `end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',198);"> `trusted_ip` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `trusted_port` int(10) DEFAULT NULL,198);"> `protocol` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `remote_ip` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `remote_netmask` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `bytes_received` bigint(20) DEFAULT '0',198);"> `bytes_sent` bigint(20) DEFAULT '0',198);"> `status` int(10) NOT NULL DEFAULT '1',198);"> KEY `idx_username` (`username`),198);"> KEY `idx_start_time` (`start_time`),198);"> KEY `idx_end_time` (`end_time`)
) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
2、建立客户端的VPN拨入帐号
[root@openvpn01 openvpn]# MysqL -uopenvpn -p
执行以下命令:
MysqL>USE openvpn;
INSERT INTO user(username,password) VALUES('test',ENCRYPT('123456'));
MysqL> select * from user;
+----------+---------------+--------+---------------------+------+-------+------+-------------+-------------+---------+
| username | password | active | creation | name | email | note | quota_cycle | quota_bytes | enabled |
| test | st3rCn.zSAbZU | 1 | 2012-05-08 08:56:24 | | NULL | NULL | 30 | 10737418240 | 1 |
| evan | bT.y7RjLv90mc | 1 | 2012-05-08 14:57:43 | | NULL | NULL | 30 | 10737418240 | 1 |
2 rows in set (0.00 sec)
3、配置OpenVPN的PAM MysqL认证
安装pam_MysqL验证安装包
[root@openvpn01 openvpn]# yum install pam_krb5 pam pam-devel
[root@openvpn01 openvpn]# rpm -ivh pam_MysqL-0.7-0.12.rc1.el6.x86_64.rpm
[root@openvpn01 openvpn]# rpm -qa | grep pam_MysqL
pam_MysqL-0.7-0.12.rc1.el6.x86_64
并确认这个文件已经存在 /lib64/security/pam_MysqL.so
[root@openvpn01 ~]# rpm -qa | grep pam
pam-devel-1.1.1-22.el6.x86_64
pam_MysqL-0.7-0.12.rc1.el6.x86_64
fprintd-pam-0.1-22.git04fd09cfa.el6.x86_64
pam_passwdqc-1.0.5-8.el6.x86_64
pam-1.1.1-22.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
[root@openvpn01 ~]# touch /etc/pam.d/openvpn_MysqL
[root@openvpn01 ~]# vi /etc/pam.d/openvpn_MysqL
auth sufficient pam_MysqL.so \
user=openvpn passwd=evanmis host=localhost db=openvpn \
table=user usercolumn=username passwdcolumn=password \
where=active=1 sqllog=0 crypt=1
account required pam_MysqL.so \
where=active=1 sqllog=0 crypt=1
4、测试pam验证是否成功
[root@openvpn01 openvpn]# /etc/init.d/saslauthd restart
[root@openvpn01 openvpn]# chkconfig saslauthd on
[root@openvpn01 openvpn]# testsaslauthd -u test -p 123456 -s openvpn_MysqL
如果显示
0: OK "Success."
则说明MysqL认证配置成功。否则,请根据/var/log/auth.log日志查找原因。
5、复制OpenVPN PAM认证模块。
注意,2.2.2版本的认证模块文件有问题,会造成帐号密码无法得到认证,所以只能用2.0.9版的生成。
[root@openvpn01 openvpn]# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
[root@openvpn01 openvpn]# tar zxvf openvpn-2.0.9.tar.gz
[root@openvpn01 openvpn]# cd /openvpn/openvpn-2.0.9/plugin/auth-pam/
[root@openvpn01 auth-pam]# make
[root@mailserver auth-pam]# cp openvpn-auth-pam.so /lib64/security/
[root@openvpn01 openvpn]# vi /etc/openvpn/server.conf
将下面一行启用。注意:MysqL 与Radius两种认证只能启用其中一种,不能2个同时使用.
plugin /lib64/security/openvpn-auth-pam.so openvpn_MysqL
==========================================================================================
二、配置OpenVPN PAM Radius认证模块(认证方法二)
使用Radius认证,必须事先架设一台Radius server. 相关教程,请自行找文章。
[root@openvpn01 openvpn]# mkdir /etc/raddb/
[root@openvpn01 openvpn]#wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
[root@openvpn01 openvpn]# tar zxvf pam_radius-1.4.0.tar.gz
[root@openvpn01 openvpn]# cd pam_radius-1.4.0
[root@openvpn01 pam_radius-1.4.0]# vi pam_radius_auth.conf
修改部分:
# server[:port] shared_secret timeout (s)
114.112.260.90 pk888 1
#other-server other-secret 3
备注:114.112.260.90是radius服务器,pk888是shred共享密码,只需改一行即可。
[root@openvpn01 pam_radius-1.4.0]# ./configure
[root@openvpn01 pam_radius-1.4.0]# make
[root@openvpn01 pam_radius-1.4.0]# cp pam_radius_auth.so /etc/openvpn
[root@openvpn01 pam_radius-1.4.0]# cp pam_radius_auth.so /lib64/security
[root@openvpn01 pam_radius-1.4.0]# cp pam_radius_auth.conf /etc/raddb/server
配置PAM认证
[root@mailserver pam.d]# vi /etc/pam.d/openvpn_radius
account required /lib64/security/pam_radius_auth.so
auth required /lib64/security/pam_radius_auth.so
[root@mailserver software]# /etc/init.d/saslauthd restart
[root@mailserver software]# testsaslauthd -u bbb -p 456456 -s openvpn_radius
备注:帐号bbb,密码456456是radius服务器114.112.260.90中建立的。
配置OpenVPN服务器的配置文件,注意与以前的MysqL认证相比,只是更改了一行。即下面红色的那一行
vi /etc/server.conf
dev tun
port 443
management 127.0.0.1 7505
sndbuf 409600
rcvbuf 409600
mssfix
cipher BF-CBC
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
#tls -auth /etc/openvpn/easy-rsa/ta.key 0
push "dhcp-option DNS 210.0.255.250"
push "dhcp-option DNS 218.102.23.228"
push "redirect-gateway"
server 10.8.0.0 255.255.255.0
keepalive 10 60
duplicate-cn
log /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 3
#mute 5
# user/pass auth from MysqL
#plugin /lib64/security/openvpn-auth-pam.so openvpn_MysqL
# user/pass auth from Radius
plugin /etc/openvpn/openvpn-auth-pam.so openvpn_radius
client-cert-not-required
username-as-common-name
auth-nocache
备注:push "redirect-gateway" 表示所有用户端流量都走VPN出去。
6) 设置IP包转发:
a) 关闭服务器、防火墙上所有对SSH(22)、openvpn(443)的拦截。
b) [root@openvpn01 openvpn]#vi /etc/sysctl.conf
将 net.ipv4.ip_forward = 1 值改为1.
[root@openvpn01 openvpn]# sysctl -p
7) 导入防火墙配置文件iptables(附件中),再重起服务。
[root@openvpn01 openvpn]# service iptables restart
[root@openvpn01 openvpn]# chkconfig saslauthd on
==========================================================
交流QQ:1564778559