1. 程式人生 > >openvpn+mysql密碼認證

openvpn+mysql密碼認證

ces file completed iptable 安裝mysql ren upd color column

一、安裝環境

確保有一個正確的系統環境,這個很重要,有時候排錯時,折騰了許久,發現就是這些問題導致的

1、做以下檢查

[root@VPN ~]# cat /etc/redhat-release         #系統發行版本
CentOS release 6.5 (Final)
[root@VPN ~]# uname -rm                           #系統架構和內核情況
2.6.32-431.el6.x86_64 x86_64  
[root@VPN ~]# getenforce                            #關閉SELinux
Disabled
[root@VPN 
~]# iptables -L -n #防火墻沒有數據 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@VPN
~]# date #時間正確 Wed Oct 18 14:54:28 CST 2017

2、安裝epel源,默認yum倉庫有些軟件包沒有

[root@VPN ~]# yum install epel-release -y

3、修改ip_forword=1

[root@VPN ~]# echo 1 > /proc/sys/net/ipv4/ip_forward    #臨時更改
[root@VPN ~]# echo "net.ipv4.ip_forword=1" >>/etc/sysctl.conf    #永久更改
[root@VPN 
~]# cat /proc/sys/net/ipv4/ip_forward 1

二、配置mysql

1、安裝mysql服務

[root@VPN ~]# yum install mysql mysql-server -y
[root@VPN ~]# service mysqld start
[root@VPN ~]# chkconfig mysqld on

2、為openvpn配置庫和表

[root@VPN ~]# mysql -e "CREATE DATABASE IF NOT EXISTS openvpn DEFAULT CHARSET utf8;"       #建庫
[root@VPN ~]# mysql -e "GRANT ALL PRIVILEGES ON openvpn.* TO vpn@‘localhost‘ IDENTIFIED BY ‘vpn123456‘;"     #建連接賬號
[root@VPN ~]# mysql openvpn -e "CREATE TABLE IF NOT EXISTS user (username char(32) COLLATE utf8_unicode_ci NOT NULL,password char(128) COLLATE utf8_unicode_ci DEFAULT NULL,active int(10) NOT NULL DEFAULT 1,creation timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,expired_time timestamp NOT NULL DEFAULT ‘0000-00-00 00:00:00‘, PRIMARY KEY (username)) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;"  #建用戶表
[root@VPN ~]# mysql openvpn -e "INSERT INTO user(username, password, expired_time) VALUES(‘test‘, ENCRYPT(‘123456‘), DATE_ADD(CURRENT_TIMESTAMP, INTERVAL 30 DAY));"   #插入測試用戶

校驗vpn用戶否能登錄,庫和表是否創建成功。

三、安裝配置pam_mysql

1、安裝相關軟件包

[root@VPN ~]# yum install pam_mysql pam_krb5 pam pam_devel -y
[root@VPN ~]# service saslauthd start
[root@VPN ~]# chkconfig saslauthd on

2、整合mysql和pam

[root@VPN ~]# cat >/etc/pam.d/openvpn <<EOF
> auth sufficient /lib64/security/pam_mysql.so user=vpn passwd=vpn123456 host=localhost db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1
> account required /lib64/security/pam_mysql.so user=vpn passwd=vpn123456 host=localhost db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1 
> #crypt(0) -- Used to decide to use MySQLs PASSWORD() function or crypt()  
> #0 = No encryption. Passwords in database in plaintext. NOT recommended!  
> #1 = Use crypt  
> #2 = Use MySQL PASSWORD() function
> EOF

3、測試認證

[root@VPN ~]# testsaslauthd -u test -p 123456 -s openvpn
0: OK "Success."

四、安裝配置openvpn

1、安裝openvpn

[root@VPN ~]# yum install openvpn -y
[root@VPN ~]# rpm -qa openvpn
openvpn-2.4.4-1.el6.x86_64

2、編譯openvpn-auth-pam

openvpn通過pam認證的一個插件,要下載openvpn源碼編譯;

安裝過程中2.4.4版本的openvpn出現了一點問題,這裏使用2.0.9版本

[root@VPN ~]# yum install pam-devel gcc gcc-c++ -y
[root@VPN tools]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.0.9.tar.gz
[root@VPN tools]# tar xf openvpn-2.0.9.tar.gz     
[root@VPN tools]# cd openvpn-2.0.9/plugin/auth-pam/
[root@VPN auth-pam]# make
[root@VPN auth-pam]# cp openvpn-auth-pam.so /etc/openvpn/

3、生產證書

以前安裝過openvpn2.3,使用的是easy-rsa 2.0,這次發現2.0生成的證書不能使用,改用3.0版本

A、安裝最新版本的easy-rsa

[root@VPN tools]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
[root@VPN tools]# unzip master.zip 
[root@VPN tools]# cd easy-rsa-master/easyrsa3/

B、編輯vars文件,修改以下內容

[root@VPN easyrsa3]# cp vars.example vars
[root@VPN easyrsa3]# cat vars
....................
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "SH"
set_var EASYRSA_REQ_CITY        "Shanghai"
set_var EASYRSA_REQ_ORG         "*******"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "Technology department"
....................

C、創建證書

[root@VPN easyrsa3]# ./easyrsa init-pki                                                                       #初始化存儲目錄

[root@VPN easyrsa3]# ./easyrsa build-ca                                                                       #創建根證書

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.................................+++
........................................................+++
writing new private key to /home/tools/easy-rsa-master/easyrsa3/pki/private/ca.key.U85ncy7Ntq
Enter PEM pass phrase:                                                                                      #提示輸入密碼
Verifying - Enter PEM pass phrase:                                                                          #再次輸入密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpn

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/tools/easy-rsa-master/easyrsa3/pki/ca.crt                                                             #ca.crt存儲位置

[root@VPN easyrsa3]# ./easyrsa gen-req server nopass                                                        #創建服務端證書

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..............+++
.....................+++
writing new private key to /home/tools/easy-rsa-master/easyrsa3/pki/private/server.key.6aqcr3DcFu
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:                                                 #直接回車
Keypair and certificate request completed. Your files are:
req: /home/tools/easy-rsa-master/easyrsa3/pki/reqs/server.req
key: /home/tools/easy-rsa-master/easyrsa3/pki/private/server.key                                            #證書存儲位置

[root@VPN easyrsa3]# ./easyrsa sign server server                                                           #簽約服務端證書

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word yes to continue, or any other input to abort.
  Confirm request details: yes                                                                              #輸入yes即可
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /home/tools/easy-rsa-master/easyrsa3/pki/private/ca.key:                              #上面根證書相同的密碼
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
commonName            :PRINTABLE:server
Certificate is to be certified until Oct 16 08:38:07 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/tools/easy-rsa-master/easyrsa3/pki/issued/server.crt                           #證書存儲位置

[root@VPN easyrsa3]# ./easyrsa gen-dh     #創建Diffie-Hellman

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................+.........................................................................................................................+........................+................................+................+...................................................................+................+....................+........................................+..........................+.......+...........+.........................................+..+............................................................................................................++*++*

DH parameters of size 2048 created at /home/tools/easy-rsa-master/easyrsa3/pki/dh.pem                         #存儲位置

將ca.crt、server.crt、server.key、dh.pem拷貝到/etc/openvpn/keys目錄下

[root@VPN easyrsa3]# cd pki/
[root@VPN pki]# mkdir /etc/openvpn/keys
[root@VPN pki]# cp ca.crt /etc/openvpn/keys/ [root@VPN pki]# cp issued
/server.crt /etc/openvpn/keys/ [root@VPN pki]# cp private/server.key /etc/openvpn/keys/ [root@VPN pki]# cp dh.pem /etc/openvpn/keys/

4、配置openvpn

創建服務端配置文件

[root@VPN pki]# mkdir /var/log/openvpn       #日誌目錄
[root@VPN openvpn]# cat server.conf 
local 172.16.8.205
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key 
dh keys/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.8.0 255.255.255.0"  
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 20 60
cipher AES-128-CBC
max-clients 2048
persist-key
persist-tun
plugin /etc/openvpn/openvpn-auth-pam.so openvpn
verify-client-cert none
username-as-common-name
status openvpn-status.log
log         /var/log/openvpn/openvpn.log
script-security 3 
verb 3

啟動oepnvpn服務

[root@VPN keys]# service openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [  OK  ]

五、測試openvpn

創建client配置文件

[root@centos6-base openvpn]# cat client.conf 
client
dev tun
proto tcp
remote 172.16.8.205 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
ns-cert-type server
;tls-auth ta.key 1
verb 3
cipher AES-128-CBC
auth-user-pass
script-security 3

將服務端創建的ca.crt文件拷貝到client.conf同級目錄下;win系統,將client.conf改為client.ovpn

參考:http://blog.csdn.net/shgh_2004/article/details/53170338

http://blog.csdn.net/zhemeban/article/details/69665985

openvpn+mysql密碼認證