Centos 6.8安装openvpn.三种认证方式
|
Centos X64 6.8下安装Openvpn,三种认证方式 环境说明: 主机名称:openvpn01 安装版本为openvpn-2.3.11-1.el6.x86_64 相关资源下载连接如下: 链接:http://pan.baidu.com/s/1c2zDX5Y 密码:mooz 链接:http://pan.baidu.com/s/1bAXh6m 密码:vgq8 链接:http://pan.baidu.com/s/1qYkwty8 密码:1n32 前提条件,关闭selinux安全 # vi /etc/selinux/config 把SELINUX=enforcing 改为SELINUX=disabled后存盘退出,重启机器. 1. 安装"EPEL"源 # rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm # wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm # rpm -Uvh epel-release-6-8.noarch.rpm 2. 安装openvpn # yum install lzo lzo-devel # rpm -qa | grep lzo lzo-devel-2.03-3.1.el6_5.1.x86_64 lzo-minilzo-2.03-3.1.el6_5.1.x86_64 lzo-2.03-3.1.el6_5.1.x86_64 # yum -y install openssl openssl-devel # rpm -qa | grep openssl openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.x86_64 openssl098e-0.9.8e-20.el6.centos.1.x86_64 # yum install openvpn easy-rsa # rpm -qa | grep openvpn openvpn-2.3.11-1.el6.x86_64 或者wget http://dl.fedoraproject.org/pub/epel/6/x86_64/openvpn-2.3.11-1.el6.x86_64.rpm 3. easy-rsa配置 # mkdir -p /etc/openvpn/easy-rsa/keys # cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 4. 创建CA证书和密钥 # vi /etc/openvpn/easy-rsa/vars # PKCS11 fixes # export PKCS11_MODULE_PATH="dummy" # export PKCS11_PIN="dummy" export KEY_COUNTRY="CN" export KEY_PROVINCE="CA" export KEY_CITY="Dongguan" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@33jack.com" export KEY_OU="33jack" 更改你自己的国家,省份,城市,邮箱等等 [root@openvpn01 ]# cd /etc/openvpn/easy-rsa [root@openvpn01 easy-rsa]# cp openssl-1.0.0.cnf openssl.cnf [root@openvpn01 easy-rsa]# source ./vars NOTE: If you run ./clean-all,I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys [root@openvpn01 easy-rsa]# ./clean-all 创建CA证书和密钥 [root@openvpn01 easy-rsa]# ./build-ca 5. 创建服务端的证书和密钥 # ./build-key-server server 6. 创建客户端的证书和密钥 # ./build-key client 7. 创建 迪菲 霍尔曼密钥交换参数 创建DH参数.此过程时间比较久,等个10分钟就好了 # ./build-dh 8、生成ta.key文件 # openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key 客户端证书秘钥:ca.crt、client.crtclient.keyta.key(编辑openvpn客户端配置文件会用到) 9、更改主机名称,不然启动会报错。 #vi /etc/hosts 127.0.0.1 localhost openvpn01 localhost4.localdomain4 10.直接使用证书认证方式 # vi /etc/openvpn/server.conf port 443 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 210.0.255.250" push "dhcp-option DNS 218.102.23.228" push "route 10.8.0.0 255.255.255.0" push "redirect-gateway" duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 11、启动服务 # mkdir /var/log/openvpn # service openvpn start tarting openvpn: /etc/init.d/openvpn: line 162: 328 Segmentation fault 这里可能报错,因为openvpn的启动脚本和发行版稍有差别,如果报错,编辑文件/etc/init.d/openvpn里面注释如下几行: # Source networking configuration. #. /etc/sysconfig/network # Check that networking is up. #if [ ${NETWORKING} = "no" ] #then # echo "Networking isdown" # exit 0 #fi 客户端配置请参见文章http://www.jb51.cc/article/p-nvottcuw-mt.html ==================================================================================== 一、使用Mysql pam数据库认证(认证方法一) 1、安装并建立数据库 先删除以前版本数据库 #rpm -qa | grep mysql mysql-5.0.77-4.el5_6.6 mod_auth_mysql-3.0.0-3.2.el5_3 mysql-libs-5.1.73-3.el6_5.x86_64 # rpm -e mod_auth_mysql-3.0.0-3.2.el5_3 # rpm -e mysql-5.0.77-4.el5_6.6 # yum -y remove mysql-libs-5.1* 请按顺序删除旧版本的数据库。 rpm安装Mysql 5.7.4-m14版本, #rpm -ivhMySQL-server-5.7.4_m14-1.el6.x86_64.rpm #rpm -ivhMySQL-client-5.7.4_m14-1.el6.x86_64.rpm #rpm -ivhMySQL-devel-5.7.4_m14-1.el6.x86_64.rpm #rpm -ivhMySQL-shared-5.7.4_m14-1.el6.x86_64.rpm #rpm -ivhMySQL-shared-compat-5.7.4_m14-1.el6.x86_64.rpm #chown -R mysql:mysql /var/lib/mysql 注意,默认密码请到下面文件中查看 You will find that password in '/root/.mysql_secret'. # service mysql start #mysql -uroot -p 登录后,用下面命令设定密码为pk168007 mysql>set password=password('pk168007'); mysql>flush privileges; mysql>quit [root@openvpn01 openvpn]# service mysql restart [root@openvpn01 openvpn]# chkconfig mysql on [root@openvpn01 openvpn]# mysql -u root -p 运行以下SQL命令: 创建数据库 mysql> CREATE DATABASE openvpn; 切换数据库 mysql> USE openvpn; 创建用户,用户名openvpn,密码evanmis(可自行设定) mysql>GRANT ALL ON openvpn.* TO 'openvpn'@'localhost' IDENTIFIED BY 'evanmis'; 创建用户数据表 CREATE TABLE IF NOT EXISTS `user` ( `username` char(32) COLLATE utf8_unicode_ci NOT NULL, `password` char(128) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `active` int(10) NOT NULL DEFAULT '1',198);"> `creation` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,198);"> `name` varchar(32) COLLATE utf8_unicode_ci NOT NULL,198);"> `email` char(128) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `note` text COLLATE utf8_unicode_ci,198);"> `quota_cycle` int(10) NOT NULL DEFAULT '30',198);"> `quota_bytes` bigint(20) NOT NULL DEFAULT '10737418240',198);"> `enabled` int(10) NOT NULL DEFAULT '1',198);"> PRIMARY KEY (`username`),198);"> KEY `idx_active` (`active`),198);"> KEY `idx_enabled` (`enabled`) ) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -- 创建日志数据表 CREATE TABLE IF NOT EXISTS `log` ( `username` varchar(32) COLLATE utf8_unicode_ci NOT NULL,198);"> `start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,198);"> `end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',198);"> `trusted_ip` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `trusted_port` int(10) DEFAULT NULL,198);"> `protocol` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `remote_ip` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `remote_netmask` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,198);"> `bytes_received` bigint(20) DEFAULT '0',198);"> `bytes_sent` bigint(20) DEFAULT '0',198);"> `status` int(10) NOT NULL DEFAULT '1',198);"> KEY `idx_username` (`username`),198);"> KEY `idx_start_time` (`start_time`),198);"> KEY `idx_end_time` (`end_time`) ) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; 2、建立客户端的VPN拨入帐号 登入MySQL数据库: [root@openvpn01 openvpn]# mysql -uopenvpn -p 执行以下命令: mysql>USE openvpn; INSERT INTO user(username,password) VALUES('test',ENCRYPT('123456')); 这样就建立好了一个用户test,密码为123456的帐号。 再查看当然数据库中的用户数量。如下 mysql> select * from user; +----------+---------------+--------+---------------------+------+-------+------+-------------+-------------+---------+ | username | password | active | creation | name | email | note | quota_cycle | quota_bytes | enabled | | test | st3rCn.zSAbZU | 1 | 2012-05-08 08:56:24 | | NULL | NULL | 30 | 10737418240 | 1 | | evan | bT.y7RjLv90mc | 1 | 2012-05-08 14:57:43 | | NULL | NULL | 30 | 10737418240 | 1 | 2 rows in set (0.00 sec) 3、配置OpenVPN的PAM Mysql认证 安装pam_mysql验证安装包 [root@openvpn01 openvpn]# yum install pam_krb5 pam pam-devel [root@openvpn01 openvpn]# rpm -ivh pam_mysql-0.7-0.12.rc1.el6.x86_64.rpm [root@openvpn01 openvpn]# rpm -qa | grep pam_mysql pam_mysql-0.7-0.12.rc1.el6.x86_64 并确认这个文件已经存在 /lib64/security/pam_mysql.so [root@openvpn01 ~]# rpm -qa | grep pam pam-devel-1.1.1-22.el6.x86_64 pam_mysql-0.7-0.12.rc1.el6.x86_64 fprintd-pam-0.1-22.git04fd09cfa.el6.x86_64 pam_passwdqc-1.0.5-8.el6.x86_64 pam-1.1.1-22.el6.x86_64 pam_krb5-2.3.11-9.el6.x86_64 [root@openvpn01 ~]# touch /etc/pam.d/openvpn_mysql [root@openvpn01 ~]# vi /etc/pam.d/openvpn_mysql auth sufficient pam_mysql.so user=openvpn passwd=evanmis host=localhost db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1 account required pam_mysql.so where=active=1 sqllog=0 crypt=1 4、测试pam验证是否成功 [root@openvpn01 openvpn]# /etc/init.d/saslauthd restart [root@openvpn01 openvpn]# chkconfig saslauthd on [root@openvpn01 openvpn]# testsaslauthd -u test -p 123456 -s openvpn_mysql 如果显示 0: OK "Success." 则说明mysql认证配置成功。否则,请根据/var/log/auth.log日志查找原因。 5、复制OpenVPN PAM认证模块。 注意,2.2.2版本的认证模块文件有问题,会造成帐号密码无法得到认证,所以只能用2.0.9版的生成。 [root@openvpn01 openvpn]# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz [root@openvpn01 openvpn]# tar zxvf openvpn-2.0.9.tar.gz [root@openvpn01 openvpn]# cd /openvpn/openvpn-2.0.9/plugin/auth-pam/ [root@openvpn01 auth-pam]# make 编译生成认证模块文件openvpn-auth-pam.so [root@mailserver auth-pam]# cp openvpn-auth-pam.so /lib64/security/ [root@openvpn01 openvpn]# vi /etc/openvpn/server.conf 将下面一行启用。注意:Mysql 与Radius两种认证只能启用其中一种,不能2个同时使用. plugin /lib64/security/openvpn-auth-pam.so openvpn_mysql ========================================================================================== 二、配置OpenVPN PAM Radius认证模块(认证方法二) 使用Radius认证,必须事先架设一台Radius server. 相关教程,请自行找文章。 [root@openvpn01 openvpn]# mkdir /etc/raddb/ [root@openvpn01 openvpn]#wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz [root@openvpn01 openvpn]# tar zxvf pam_radius-1.4.0.tar.gz [root@openvpn01 openvpn]# cd pam_radius-1.4.0 [root@openvpn01 pam_radius-1.4.0]# vi pam_radius_auth.conf 修改部分: # server[:port] shared_secret timeout (s) 114.112.260.90 pk888 1 #other-server other-secret 3 备注:114.112.260.90是radius服务器,pk888是shred共享密码,只需改一行即可。 [root@openvpn01 pam_radius-1.4.0]# ./configure [root@openvpn01 pam_radius-1.4.0]# make [root@openvpn01 pam_radius-1.4.0]# cp pam_radius_auth.so /etc/openvpn [root@openvpn01 pam_radius-1.4.0]# cp pam_radius_auth.so /lib64/security [root@openvpn01 pam_radius-1.4.0]# cp pam_radius_auth.conf /etc/raddb/server 配置PAM认证 [root@mailserver pam.d]# vi /etc/pam.d/openvpn_radius account required /lib64/security/pam_radius_auth.so auth required /lib64/security/pam_radius_auth.so [root@mailserver software]# /etc/init.d/saslauthd restart [root@mailserver software]# testsaslauthd -u bbb -p 456456 -s openvpn_radius 备注:帐号bbb,密码456456是radius服务器114.112.260.90中建立的。 配置OpenVPN服务器的配置文件,注意与以前的Mysql认证相比,只是更改了一行。即下面红色的那一行 vi /etc/server.conf dev tun port 443 management 127.0.0.1 7505 sndbuf 409600 rcvbuf 409600 mssfix cipher BF-CBC dh /etc/openvpn/easy-rsa/keys/dh2048.pem #tls -auth /etc/openvpn/easy-rsa/ta.key 0 push "dhcp-option DNS 210.0.255.250" push "dhcp-option DNS 218.102.23.228" push "redirect-gateway" server 10.8.0.0 255.255.255.0 keepalive 10 60 duplicate-cn log /var/log/openvpn.log status /var/log/openvpn-status.log verb 3 #mute 5 # user/pass auth from Mysql #plugin /lib64/security/openvpn-auth-pam.so openvpn_mysql # user/pass auth from Radius plugin /etc/openvpn/openvpn-auth-pam.so openvpn_radius client-cert-not-required username-as-common-name auth-nocache 备注:push "redirect-gateway" 表示所有用户端流量都走VPN出去。 6) 设置IP包转发: a) 关闭服务器、防火墙上所有对SSH(22)、openvpn(443)的拦截。 b) [root@openvpn01 openvpn]#vi /etc/sysctl.conf 将 net.ipv4.ip_forward = 1 值改为1. [root@openvpn01 openvpn]# sysctl -p 7) 导入防火墙配置文件iptables(附件中),再重起服务。 [root@openvpn01 openvpn]# service iptables restart [root@openvpn01 openvpn]# chkconfig saslauthd on ========================================================== 交流QQ:1564778559 (编辑:鄂州站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
