0%

OpenVPN使用用户名密码验证登录

书接上文,咱们说到Centos7下OpenVpn服务器搭建 ,使用证书验证,如果偷懒多人使用同一个证书,感觉不是很安全,如果新建多个账号,也不是很方便,所以想着使用用户名密码去验证。使用用户名密码验证的常见做法有两种,一种是借助pam_mysql.so,另一种是使用checkpsw方式,本文使用第二种方式,比较简单。搭建过程和上文基本一样,只需要创建服务器端证书,不需要客户端证书。

修改服务端配置文件

修改服务器端配置文件vim /etc/openvpn/server.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
local 192.168.6.23
port 11094
proto tcp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
tls-auth ta.key 0
cipher AES-256-GCM

ifconfig-pool-persist /etc/openvpn/ipp.txt
#以下四行配置文件未新添加的的
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
verify-client-cert none
username-as-common-name
script-security 3

server 10.66.66.0 255.255.255.0
push "route 192.168.6.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
#push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
topology subnet
client-to-client

keepalive 20 120
comp-lzo
duplicate-cn
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20

新建一个key

tls-auth 在 SSL/TLS 握手包的基础上增加了额外的签名,以提供更高的安全性

1
openvpn --genkey --secret /etc/openvpn/ta.key

新建shell脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

赋予脚本权限
chmod 755 checkpsw.sh

新建用户密码配置文件psw-file

1
2
3
4
#用户名  密码
ths1 123456
ths2 123456
ths3 123456

chmod 600 /etc/openvpn/psw-file
chown openvpn.openvpn /etc/openvpn/psw-file
touch /etc/openvpn/openvpn-password.log
chown openvpn.openvpn /etc/openvpn/openvpn-password.log
chmod 644 /etc/openvpn/openvpn-password.log

重启服务

systemctl restart openvpn@server
systemctl enable openvpn@server

客户端测试

编辑C:\Program Files\OpenVPN\config\sx3.ovpn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
client   
proto tcp
dev tun
remote 192.168.6.23 11094
ca ca.crt
auth-user-pass #使用密码验证,主要是这行
tls-auth ta.key 1
cipher AES-256-GCM
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
#user openvpn
#group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
route-method exe
route-delay 2
#忽略192.168的路由
#pull-filter ignore "route 192.168."
#允许学习172的路由
#pull-filter accept "route 172."
<ca>
-----BEGIN CERTIFICATE-----
……ABCDEFG……
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
……ABCDEFG……
-----END OpenVPN Static key V1-----
</tls-auth>

客户端测试

01
02