引言:本文利用OpenVPN搭建VPN服务,并利用pam_sqlite3插件实现用户认证;通过openvpn_web进行用户管理与日志系统。 一、安装OpenVPN服务基础环境: 服务端: CentOS 7.6 客户端:Windows 7 OpenVPN: openvpn-2.4.7 (https://github.com/OpenVPN/openvpn) easy-rsa:easy-rsa 3.0.6 (https://github.com/OpenVPN/easy-rsa) OpenVPN GUI: openvpn gui (https:///lang13002/openvpn-portable) 1.1 安装openvpn安装依赖包 # yum install lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel 从github上下载openvpn源代码包并解压 编译openvpn并安装 # cd openvpn-2.4.7# ./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd# make && make install 参照sample/sample-config-files/server.conf文件生成配置文件 port 1194proto tcp-server;proto udpdev tuntopology subnetca /etc/openvpn/server/ca.crtcert /etc/openvpn/server/server.crtkey /etc/openvpn/server/server.keydh /etc/openvpn/server/dh.pemtls-auth /etc/openvpn/server/ta.key 0user nobodygroup nobodyserver 10.8.0.0 255.255.255.0;ifconfig-pool-persist ipp.txt;push 'redirect-gateway def1 bypass-dhcp'push 'dhcp-option DNS 114.114.114.114'push 'route 192.168.133.0 255.255.255.0'push 'route-gateway 10.200.227.114';client-to-clientkeepalive 10 120comp-lzocompress 'lz4'persist-keypersist-tuncipher AES-256-CBCstatus /var/log/openvpn-status.loglog /var/log/openvpn.logverb 3 配置系统服务 1.2 生成证书 下载easy-rsa3并解压 # wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.6.tar.gz# tar -xvf v3.0.6.tar.gz 根据easy-rsa-3.0.6/easyrsa3/vars.example文件生成全局配置文件vars 修改vars文件,根据需要去掉注释,并修改对应值 set_var EASYRSA_REQ_COUNTRY 'CN'set_var EASYRSA_REQ_PROVINCE 'HUBEI'set_var EASYRSA_REQ_CITY 'WUHAN'set_var EASYRSA_REQ_ORG 'ZJ'set_var EASYRSA_REQ_EMAIL 'zj@test.com'set_var EASYRSA_REQ_OU 'ZJ'set_var EASYRSA_KEY_SIZE 2048set_var EASYRSA_ALGO rsa 生成服务端证书 生成客户端证书 # ./easy-rsa build-client-full client1 nopass 注:可生成client1, client2, client3或对应姓名的客户端证书 整理服务端证书 # cp pki/ca.crt /etc/openvpn/server/# cp pki/private/server.key /etc/openvpn/server/# cp pki/issued/server.crt /etc/openvpn/server/# cp pki/dh.pem /etc/openvpn/server/ 1.3 开启路由转发功能与防火墙 二、添加SQLite认证下载pam_sqlite3并安装 # git clone https:///lang13002/pam_sqlite3.git# cd pam_sqlite3# make && make install 添加pam认证文件 创建sqlite3数据库文件 # sqlite3 /etc/openvpn/openvpn.dbsqlite> create table t_user ( username text not null, password text not null, active int, expire text);sqlite> .quit 在服务端配置添加认证插件 三、客户端配置3.1 下载客户端程序: 从https:///lang13002/openvpn-portable/repository/archive/v1.0下载程序,并安装网卡驱动; 3.2 安装驱动: 运行openvpn-portable/tap-windows.exe 3.3 设置客户端证书 将上面生成的ca.crt, client1.crt, client1.key放到openvpn-portable的data/config下,并修改客户端配置 ca ca.crtcert client1.crtkey client1.keyremote-cert-tls serverauth-user-passauth-nocache 注:当有多个客户端时,有多个文件(ca.crt, client1.crt, client1.key, client.ovpn)需要分发给客户,势必会很麻烦;可以将证书嵌入到客户端配置文件中; 四. 连接VPN启动openvpn服务 # systemctl start openvpn 启动openvpn-porable 五、OpenVPN用户管理与日志5.1 安装依赖 5.2 下载openvpn-web # git clone https:///lang13002/openvpn_web.git 5.3 创建相应的数据库表 5.4 OpenVPN运行脚本写日志 服务端配置添加运行脚本 script-security 2client-connect /etc/openvpn/server/connect.pyclient-disconnect /etc/openvpn/server/disconnect.py connect.py 5.5 启动服务 # python myapp.py 5.6 管理界面 |
|
来自: 难得糊涂lwkc31 > 《智慧水务》