介绍:在前面两篇文章中,已经配置好了openvpn服务,同时也对添加新用户和注销用户做了说明,但是这样并不利于对openvpn客户端的统一管理,所以可以使用账号密码登录的方式,这样再添加或注销一个用户,可以直接在配置文件中完成,只需要秘钥验证就可以了,下面介绍一下具体配置
一、服务端配置
1.1 修改server.conf配置文件
[root@loaclhost ~]# vim /etc/openvpn/server.conf
添加下面几行,注明checkpsw.sh的位置auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 31.2 编辑checkpsw.sh文件
[root@loaclhost ~]# vim /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file" #用户名和密码的配置文件
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 11.3 配置账号密码
[root@loaclhost ~]# vim /etc/openvpn/psw-file
client password1.4 配置psw-file权限
[root@loaclhost ~]# chmod 400 psw-file
[root@loaclhost ~]# chown nobody.nobody psw-file
1.5 重启服务
[root@loaclhost ~]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]二 、客户端配置
2.1 配置open.ovpn文件
注释掉秘钥,保留证书,添加一行 auth-user-pass
client
dev tun
proto tcp
remote *.*.*.* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
#cert client.crt
#key client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo2.2 客户端测试
把下面的两个文件放入到config的文件夹内,连接测试
客户端测试正常启动,见下图
2.3 redhat安装openvpn客户端
配置yum源
[root@localhost ~]# rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
root@localhost ~]# sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo
yum安装openvpn
[root@localhost ~]# yum -y install openvpn
上传配置文件
[root@localhost ~]# cd /etc/openvpn/
[root@localhost openvpn]# ll
-rw-r--r--. 1 root root 1818 Mar 15 00:56 ca.crt
-rw-r--r--. 1 root root 19 Mar 15 01:01 login.conf
-rw-r--r--. 1 root root 677 Mar 15 01:02 open.ovpn
-rw-r--r--. 1 root root 636 Mar 15 00:56 ta.key[root@localhost openvpn]# vi open.ovpn
client
dev tun
proto tcp
remote *.*.*.* 1194
auth-user-pass login.conf
resolv-retry infinite
remote-cert-tls server
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt[root@localhost openvpn]# vi login.conf
user
password连接:
[root@localhost openvpn]# openvpn --daemon --cd /etc/openvpn/ --config open.ovpn
[root@localhost openvpn]# ps aux |grep openvpn
root 20449 0.0 0.1 49780 3084 ? Ss 01:02 0:00 openvpn --daemon --cd /etc/openvpn/ --config open.ovpn[root@localhost openvpn]# ip addr
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.249 peer 10.8.0.254/32 scope global tun0
valid_lft forever preferred_lft forever做别名:
[root@localhost openvpn]# vi /root/.bashrc
alias openvpn='openvpn --daemon --cd /etc/openvpn/ --config open.ovpn'[root@localhost openvpn]# source /root/.bashrc
成功!!!
来源:oschina
链接:https://my.oschina.net/u/4312735/blog/3615628