OpenVPN服务搭建与管理

撸了今年阿里、头条和美团的面试，我有一个重要发现.......>>>

引言：

       本文利用OpenVPN搭建VPN服务，并利用pam_sqlite3插件实现用户认证；通过openvpn_web进行用户管理与日志系统。

一、安装OpenVPN服务

基础环境：

服务端： CentOS 7.6

客户端：Windows 7

OpenVPN: openvpn-2.4.7 (https://github.com/OpenVPN/openvpn)

easy-rsa：easy-rsa 3.0.6 (https://github.com/OpenVPN/easy-rsa)

OpenVPN GUI: openvpn gui (https:///lang13002/openvpn-portable)

1.1 安装openvpn

    安装依赖包

# yum install lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel

    从github上下载openvpn源代码包并解压

# wget https://github.com/OpenVPN/openvpn/archive/v2.4.7.tar.gz# tar -xvf v2.4.7.tar.gz

    编译openvpn并安装

# cd openvpn-2.4.7# ./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd# make && make install

    参照sample/sample-config-files/server.conf文件生成配置文件

# vim /etc/openvpn/server/server.conf

port 1194proto tcp-server;proto udpdev tuntopology subnetca /etc/openvpn/server/ca.crtcert /etc/openvpn/server/server.crtkey /etc/openvpn/server/server.keydh /etc/openvpn/server/dh.pemtls-auth /etc/openvpn/server/ta.key 0user nobodygroup nobodyserver 10.8.0.0 255.255.255.0;ifconfig-pool-persist ipp.txt;push 'redirect-gateway def1 bypass-dhcp'push 'dhcp-option DNS 114.114.114.114'push 'route 192.168.133.0 255.255.255.0'push 'route-gateway 10.200.227.114';client-to-clientkeepalive 10 120comp-lzocompress 'lz4'persist-keypersist-tuncipher AES-256-CBCstatus /var/log/openvpn-status.loglog /var/log/openvpn.logverb 3

    配置系统服务

# cp distro/systemd/openvpn-server@.service /usr/lib/systemd/system/# systemctl enable openvpn

1.2 生成证书

    下载easy-rsa3并解压

# wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.6.tar.gz# tar -xvf v3.0.6.tar.gz

    根据easy-rsa-3.0.6/easyrsa3/vars.example文件生成全局配置文件vars

# cd easy-rsa-3.0.6/easyrsa3/# cp vars.samples vars

     修改vars文件，根据需要去掉注释，并修改对应值

set_var EASYRSA_REQ_COUNTRY 'CN'set_var EASYRSA_REQ_PROVINCE 'HUBEI'set_var EASYRSA_REQ_CITY 'WUHAN'set_var EASYRSA_REQ_ORG 'ZJ'set_var EASYRSA_REQ_EMAIL 'zj@test.com'set_var EASYRSA_REQ_OU 'ZJ'set_var EASYRSA_KEY_SIZE 2048set_var EASYRSA_ALGO rsa

     生成服务端证书

# ./easyrsa init-pki    # 初始化，生成一系列文件与目录# ./easyrsa build-ca    # 生成根证书，记住ca密码# ./easyrsa build-server-full server nopass # 生成服务端证书，nopass参数生成一个无密码的证书# ./easyrsa gen-dh      # 生成Diffie-Hellman

    生成客户端证书

# ./easy-rsa build-client-full client1 nopass

注：可生成client1, client2, client3或对应姓名的客户端证书

     整理服务端证书

# cp pki/ca.crt /etc/openvpn/server/# cp pki/private/server.key /etc/openvpn/server/# cp pki/issued/server.crt /etc/openvpn/server/# cp pki/dh.pem /etc/openvpn/server/

1.3 开启路由转发功能与防火墙

# 路由转发# vim /etc/sysctl.confnet.ipv4.ip_forward = 1# 临时启用# echo 1 > /proc/sys/net/ipv4/ip_forward# 防火墙# firewall-cmd --zone=public --add-service=openvpn

二、添加SQLite认证

    下载pam_sqlite3并安装

# git clone https:///lang13002/pam_sqlite3.git# cd pam_sqlite3# make && make install

    添加pam认证文件

# vim /etc/pam.d/openvpnauth        required    pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1account     required    pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1

    创建sqlite3数据库文件

# sqlite3 /etc/openvpn/openvpn.dbsqlite> create table t_user ( username text not null, password text not null, active int, expire text);sqlite> .quit

    在服务端配置添加认证插件

verify-client-cert noneusername-as-common-nameplugin /usr/local/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

三、客户端配置

3.1 下载客户端程序：

     从https:///lang13002/openvpn-portable/repository/archive/v1.0下载程序，并安装网卡驱动；

3.2 安装驱动： 

     运行openvpn-portable/tap-windows.exe

3.3 设置客户端证书

     将上面生成的ca.crt, client1.crt, client1.key放到openvpn-portable的data/config下，并修改客户端配置

ca ca.crtcert client1.crtkey client1.keyremote-cert-tls serverauth-user-passauth-nocache

注：当有多个客户端时，有多个文件(ca.crt, client1.crt, client1.key, client.ovpn)需要分发给客户，势必会很麻烦；可以将证书嵌入到客户端配置文件中； ;ca ca.crt         // 将这行注释掉;cert client.crt   // 将这行注释掉;key client.key    // 将这行注释掉 <ca>-----BEGIN CERTIFICATE-----MIIDGDCCAgCgAwIBAgIJAI9Ld4PlKEiOMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV....OCeTQvQ4WhyIvVgURV3ITcAKYFKUQ1sPbpjuZg==-----END CERTIFICATE---</ca><cert>-----BEGIN CERTIFICATE-----MIIDODCCAiCgAwIBAgIRAIZoEQ5PvHDs9xpTLMP3RqMwDQYJKoZIhvcNAQELBQAw......nCpzC3l8sVezxk2r-----END CERTIFICATE-----</cert> <key>-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDw1iq3HBe1otCU......ullaNc6mu3N/wTPZoQhDOKAO-----END PRIVATE KEY-----</key>

四. 连接VPN

    启动openvpn服务

# systemctl start openvpn

    启动openvpn-porable

五、OpenVPN用户管理与日志

5.1 安装依赖

# pip2 install peewee tornado

5.2 下载openvpn-web

# git clone https:///lang13002/openvpn_web.git

5.3 创建相应的数据库表

# sqlite3 /etc/openvpn/openvpn.dbsqlite> .import openvpn_web/model/openvpn.sql

5.4 OpenVPN运行脚本写日志

     服务端配置添加运行脚本   

script-security 2client-connect /etc/openvpn/server/connect.pyclient-disconnect /etc/openvpn/server/disconnect.py

    connect.py

#!/usr/bin/pythonimport osimport timeimport sqlite3username = os.environ['common_name']trusted_ip = os.environ['trusted_ip']trusted_port = os.environ['trusted_port']local = os.environ['ifconfig_local']remote = os.environ['ifconfig_pool_remote_ip']timeunix= os.environ['time_unix']logintime = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))conn = sqlite3.connect('/etc/openvpn/openvpn.db')cursor = conn.cursor()query = 'insert into t_logs(username, timeunix, trusted_ip, trusted_port, local, remote, logintime) values('%s','%s', '%s', '%s', '%s', '%s', '%s')' %  (username, timeunix, trusted_ip, trusted_port, local, remote, logintime)cursor.execute(query)conn.commit()conn.close()

5.5 启动服务

# python myapp.py

5.6 管理界面