openvpn+mysql密碼認證
阿新 • • 發佈:2017-10-19
ces file completed iptable 安裝mysql ren upd color column
一、安裝環境
確保有一個正確的系統環境,這個很重要,有時候排錯時,折騰了許久,發現就是這些問題導致的
1、做以下檢查
[root@VPN ~]# cat /etc/redhat-release #系統發行版本 CentOS release 6.5 (Final) [root@VPN ~]# uname -rm #系統架構和內核情況 2.6.32-431.el6.x86_64 x86_64 [root@VPN ~]# getenforce #關閉SELinux Disabled [root@VPN~]# iptables -L -n #防火墻沒有數據 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@VPN~]# date #時間正確 Wed Oct 18 14:54:28 CST 2017
2、安裝epel源,默認yum倉庫有些軟件包沒有
[root@VPN ~]# yum install epel-release -y
3、修改ip_forword=1
[root@VPN ~]# echo 1 > /proc/sys/net/ipv4/ip_forward #臨時更改 [root@VPN ~]# echo "net.ipv4.ip_forword=1" >>/etc/sysctl.conf #永久更改 [root@VPN~]# cat /proc/sys/net/ipv4/ip_forward 1
二、配置mysql
1、安裝mysql服務
[root@VPN ~]# yum install mysql mysql-server -y [root@VPN ~]# service mysqld start [root@VPN ~]# chkconfig mysqld on
2、為openvpn配置庫和表
[root@VPN ~]# mysql -e "CREATE DATABASE IF NOT EXISTS openvpn DEFAULT CHARSET utf8;" #建庫 [root@VPN ~]# mysql -e "GRANT ALL PRIVILEGES ON openvpn.* TO vpn@‘localhost‘ IDENTIFIED BY ‘vpn123456‘;" #建連接賬號 [root@VPN ~]# mysql openvpn -e "CREATE TABLE IF NOT EXISTS user (username char(32) COLLATE utf8_unicode_ci NOT NULL,password char(128) COLLATE utf8_unicode_ci DEFAULT NULL,active int(10) NOT NULL DEFAULT 1,creation timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,expired_time timestamp NOT NULL DEFAULT ‘0000-00-00 00:00:00‘, PRIMARY KEY (username)) DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;" #建用戶表 [root@VPN ~]# mysql openvpn -e "INSERT INTO user(username, password, expired_time) VALUES(‘test‘, ENCRYPT(‘123456‘), DATE_ADD(CURRENT_TIMESTAMP, INTERVAL 30 DAY));" #插入測試用戶
校驗vpn用戶否能登錄,庫和表是否創建成功。
三、安裝配置pam_mysql
1、安裝相關軟件包
[root@VPN ~]# yum install pam_mysql pam_krb5 pam pam_devel -y
[root@VPN ~]# service saslauthd start
[root@VPN ~]# chkconfig saslauthd on
2、整合mysql和pam
[root@VPN ~]# cat >/etc/pam.d/openvpn <<EOF > auth sufficient /lib64/security/pam_mysql.so user=vpn passwd=vpn123456 host=localhost db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1 > account required /lib64/security/pam_mysql.so user=vpn passwd=vpn123456 host=localhost db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1 > #crypt(0) -- Used to decide to use MySQL‘s PASSWORD() function or crypt() > #0 = No encryption. Passwords in database in plaintext. NOT recommended! > #1 = Use crypt > #2 = Use MySQL PASSWORD() function > EOF
3、測試認證
[root@VPN ~]# testsaslauthd -u test -p 123456 -s openvpn 0: OK "Success."
四、安裝配置openvpn
1、安裝openvpn
[root@VPN ~]# yum install openvpn -y [root@VPN ~]# rpm -qa openvpn openvpn-2.4.4-1.el6.x86_64
2、編譯openvpn-auth-pam
openvpn通過pam認證的一個插件,要下載openvpn源碼編譯;
安裝過程中2.4.4版本的openvpn出現了一點問題,這裏使用2.0.9版本
[root@VPN ~]# yum install pam-devel gcc gcc-c++ -y [root@VPN tools]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.0.9.tar.gz [root@VPN tools]# tar xf openvpn-2.0.9.tar.gz [root@VPN tools]# cd openvpn-2.0.9/plugin/auth-pam/ [root@VPN auth-pam]# make [root@VPN auth-pam]# cp openvpn-auth-pam.so /etc/openvpn/
3、生產證書
以前安裝過openvpn2.3,使用的是easy-rsa 2.0,這次發現2.0生成的證書不能使用,改用3.0版本
A、安裝最新版本的easy-rsa
[root@VPN tools]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip [root@VPN tools]# unzip master.zip [root@VPN tools]# cd easy-rsa-master/easyrsa3/
B、編輯vars文件,修改以下內容
[root@VPN easyrsa3]# cp vars.example vars [root@VPN easyrsa3]# cat vars .................... set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "SH" set_var EASYRSA_REQ_CITY "Shanghai" set_var EASYRSA_REQ_ORG "*******" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "Technology department" ....................
C、創建證書
[root@VPN easyrsa3]# ./easyrsa init-pki #初始化存儲目錄 [root@VPN easyrsa3]# ./easyrsa build-ca #創建根證書 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .................................+++ ........................................................+++ writing new private key to ‘/home/tools/easy-rsa-master/easyrsa3/pki/private/ca.key.U85ncy7Ntq‘ Enter PEM pass phrase: #提示輸入密碼 Verifying - Enter PEM pass phrase: #再次輸入密碼 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpn CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /home/tools/easy-rsa-master/easyrsa3/pki/ca.crt #ca.crt存儲位置 [root@VPN easyrsa3]# ./easyrsa gen-req server nopass #創建服務端證書 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ..............+++ .....................+++ writing new private key to ‘/home/tools/easy-rsa-master/easyrsa3/pki/private/server.key.6aqcr3DcFu‘ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: #直接回車 Keypair and certificate request completed. Your files are: req: /home/tools/easy-rsa-master/easyrsa3/pki/reqs/server.req key: /home/tools/easy-rsa-master/easyrsa3/pki/private/server.key #證書存儲位置 [root@VPN easyrsa3]# ./easyrsa sign server server #簽約服務端證書 Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word ‘yes‘ to continue, or any other input to abort. Confirm request details: yes #輸入yes即可 Using configuration from ./openssl-1.0.cnf Enter pass phrase for /home/tools/easy-rsa-master/easyrsa3/pki/private/ca.key: #上面根證書相同的密碼 Check that the request matches the signature Signature ok The Subject‘s Distinguished Name is as follows commonName :PRINTABLE:‘server‘ Certificate is to be certified until Oct 16 08:38:07 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /home/tools/easy-rsa-master/easyrsa3/pki/issued/server.crt #證書存儲位置 [root@VPN easyrsa3]# ./easyrsa gen-dh #創建Diffie-Hellman Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...................................+.........................................................................................................................+........................+................................+................+...................................................................+................+....................+........................................+..........................+.......+...........+.........................................+..+............................................................................................................++*++* DH parameters of size 2048 created at /home/tools/easy-rsa-master/easyrsa3/pki/dh.pem #存儲位置
將ca.crt、server.crt、server.key、dh.pem拷貝到/etc/openvpn/keys目錄下
[root@VPN easyrsa3]# cd pki/ [root@VPN pki]# mkdir /etc/openvpn/keys
[root@VPN pki]# cp ca.crt /etc/openvpn/keys/ [root@VPN pki]# cp issued/server.crt /etc/openvpn/keys/ [root@VPN pki]# cp private/server.key /etc/openvpn/keys/ [root@VPN pki]# cp dh.pem /etc/openvpn/keys/
4、配置openvpn
創建服務端配置文件
[root@VPN pki]# mkdir /var/log/openvpn #日誌目錄 [root@VPN openvpn]# cat server.conf local 172.16.8.205 port 1194 proto tcp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh.pem server 10.8.0.0 255.255.255.0 push "route 172.16.8.0 255.255.255.0" ifconfig-pool-persist ipp.txt client-to-client keepalive 20 60 cipher AES-128-CBC max-clients 2048 persist-key persist-tun plugin /etc/openvpn/openvpn-auth-pam.so openvpn verify-client-cert none username-as-common-name status openvpn-status.log log /var/log/openvpn/openvpn.log script-security 3 verb 3
啟動oepnvpn服務
[root@VPN keys]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]
五、測試openvpn
創建client配置文件
[root@centos6-base openvpn]# cat client.conf client dev tun proto tcp remote 172.16.8.205 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt ns-cert-type server ;tls-auth ta.key 1 verb 3 cipher AES-128-CBC auth-user-pass script-security 3
將服務端創建的ca.crt文件拷貝到client.conf同級目錄下;win系統,將client.conf改為client.ovpn
參考:http://blog.csdn.net/shgh_2004/article/details/53170338
http://blog.csdn.net/zhemeban/article/details/69665985
openvpn+mysql密碼認證