Openvpn 统一身份验证解决方案

作者: print("") 分类: linux 发布时间: 2017-05-17 13:33

Openvpn 统一身份验证解决方案

  • 本地文件认证
  • 数据库认证

方法一:利用1的脚本程序放入本地文件去读取数据库
方法二、用pam_mysql

  • Ldap认证

方法一:openvpn-auth-ldap
方法二:利用第一个文件认证的思路,去LDAP查询,海尔可以和本地文件比较(python ldap)

  • Radius 认证
  • 利用微软的活动目录认证
  • 结合U顿等设备认证

 
 
Openvpn  本地文件认证
在server.conf中添加如下四行
local 192.168.236.147
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
key /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
dh /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 202.101.224.68″
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
log         /usr/local/openvpn/log/openvpn.log
log-append  /usr/local/openvpn/log/openvpn-status.log
verb 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 3
 
 
 
添加checkpsw.sh 文件
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
 
PASSFILE=”/etc/openvpn/psw-file”
LOG_FILE=”/var/log/openvpn-password.log”
TIME_STAMP=`date “+%Y-%m-%d %T”`
 
###########################################################
 
if [ ! -r “${PASSFILE}” ]; then
echo “${TIME_STAMP}: Could not open password file \”${PASSFILE}\” for reading.” >> ${LOG_FILE}
exit 1
fi
 
CORRECT_PASSWORD=`awk ‘!/^;/&&!/^#/&&$1==”‘${username}'”{print $2;exit}’ ${PASSFILE}`
 
if [ “${CORRECT_PASSWORD}” = “” ]; then
echo “${TIME_STAMP}: User does not exist: username=\”${username}\”, password=\”${password}\”.” >> ${LOG_FILE}
exit 1
fi
 
if [ “${password}” = “${CORRECT_PASSWORD}” ]; then
echo “${TIME_STAMP}: Successful authentication: username=\”${username}\”.” >> ${LOG_FILE}
exit 0
fi
 
echo “${TIME_STAMP}: Incorrect password: username=\”${username}\”, password=\”${password}\”.” >> ${LOG_FILE}
exit 1
~
添加认证密码文件
[root@mysql1 openvpn]# cat psw-file
liang   123456
 
 
 
重启openvpn 服务
[root@mysql1 openvpn]# /usr/local/openvpn/sbin/openvpn –config /etc/openvpn/server.conf &
[1] 43728
[root@mysql1 openvpn]# Thu May  4 05:40:14 2017 Warning: Error redirecting stdout/stderr to –log file: /usr/local/openvpn/log/openvpn.log: No such file or directory (errno=2)
Thu May  4 05:40:14 2017 Warning: Error redirecting stdout/stderr to –log file: /usr/local/openvpn/log/openvpn-status.log: No such file or directory (errno=2)
Thu May  4 05:40:14 2017 OpenVPN 2.3.0 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on May  4 2017
Thu May  4 05:40:14 2017 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Thu May  4 05:40:14 2017 Diffie-Hellman initialized with 2048 bit key
Thu May  4 05:40:14 2017 WARNING: POTENTIALLY DANGEROUS OPTION –client-cert-not-required may accept clients which do not present a certificate
Thu May  4 05:40:14 2017 Socket Buffers: R=[124928->131072] S=[124928->131072]
Thu May  4 05:40:14 2017 ROUTE_GATEWAY 192.168.236.1/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:2b:ab:9c
Thu May  4 05:40:14 2017 TUN/TAP device tun0 opened
Thu May  4 05:40:14 2017 TUN/TAP TX queue length set to 100
Thu May  4 05:40:14 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May  4 05:40:14 2017 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu May  4 05:40:14 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu May  4 05:40:14 2017 UDPv4 link local (bound): [AF_INET]192.168.236.147:1194
Thu May  4 05:40:14 2017 UDPv4 link remote: [undef]
Thu May  4 05:40:14 2017 MULTI: multi_init called, r=256 v=256
Thu May  4 05:40:14 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu May  4 05:40:14 2017 ifconfig_pool_read(), in=’qingbo,10.8.0.4′, TODO: IPv6
Thu May  4 05:40:14 2017 succeeded -> ifconfig_pool_set()
Thu May  4 05:40:14 2017 ifconfig_pool_read(), in=’liang,10.8.0.8′, TODO: IPv6
Thu May  4 05:40:14 2017 succeeded -> ifconfig_pool_set()
Thu May  4 05:40:14 2017 IFCONFIG POOL LIST
Thu May  4 05:40:14 2017 qingbo,10.8.0.4
Thu May  4 05:40:14 2017 liang,10.8.0.8
Thu May  4 05:40:14 2017 Initialization Sequence Completed
 
在客户端修改文件
client
dev tun
proto udp
remote 192.168.236.173 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
comp-lzo
verb 3
auth-user-pass    #######添加一行这个。再把客户端cert 和key的认证删除
客户端测试一下

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

说点什么

avatar
  Subscribe  
提醒