服务器环境说明
1、系统版本
CentOS release 5.10 (Final) 64bits
2、软件版本
openvpn-2.3.6-1.el5 lzo-2.02-2.el5.1 lzo-devel-2.02-2.el5.1 easy-rsa-2.2.2-1.el5 pam-0.99.6.2-12.el5 pam-devel-0.99.6.2-12.el5
配置服务器安装前环境
1、打开ip转发功能
echo "net.ipv4.ip_forward = 1">> /etc/sysctl.conf sysctl -p
2、安装依赖及所需软件包
yum install -y openvpn easy-rsa cyrus-saslcyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-lib cyrus-sasl-gssapi pampam-devel /etc/init.d/saslauthd restart
3、修改变量及生成证书
cd /usr/share/easy-rsa/2.0
vi vars #编辑vars文件,生成环境变量, vars里的参数根据自己需要改变
export KEY_COUNTRY="CN" #定义你所在的国家,2个字符
export KEY_PROVINCE="ShangHai" #你所在的省份
export KEY_CITY="ShangHai" #你所在的城市
export KEY_ORG="xxx" #你所在的组织
export KEY_EMAIL="xxx@qq.com" #你的邮件地址,可以修改
source ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
./build-key client
#tar -zcvf client.tar.gz keys/{ca.crt,client.crt,client.key} #windows客户端使用需下载到本地
mkdir /etc/openvpn/{keys,logs,plugin/auth-pam} -p
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.crt,server.key,dh2048.pem} /etc/openvpn/keys/
cat > /etc/openvpn/server.conf << EOF
port 443
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 10.100.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#添加主机路由
push "route 10.200.0.0 255.255.0.0"
push "route 10.220.0.0 255.255.0.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status logs/openvpn-status.log
log logs/openvpn.log
log-append logs/openvpn.log
verb 3
plugin /etc/openvpn/plugin/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
EOF
4、使用低版本的认证插件
wget http://pkgs.fedoraproject.org/repo/pkgs/openvpn/openvpn-2.0.7.tar.gz/93528233f1f6d02fc18e2c00f82e0aca/openvpn-2.0.7.tar.gz tar xf openvpn-2.0.7.tar.gz cd openvpn-2.0.7/plugin/auth-pam make cp openvpn-auth-pam.so /etc/openvpn/plugin/ #(这一步可能无法成功,假如无法成功可从其他机器拷贝一份过去,我在附件中放了该文件) wget http://nchc.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz tar xf pam_mysql-0.7RC1.tar.gz && cd pam_mysql-0.7RC1 ./configure make makeinstall ln -s /lib/security/pam_mysql.so /lib64/security/ #如果编译中报错需要MySQL的库文件: yum install -y pam-devel mysql mysql-devel cat > /etc/pam.d/openvpn << EOF auth sufficient /lib/security/pam_mysql.so user=xxx passwd=xxxxx host=xxxxxx db=vpn table=openvpnuser usercolumn=name passwdcolumn=password crypt=2 account required /lib/security/pam_mysql.so user=xxx passwd=xxxxx host=xxxxxx db=vpn table=openvpnuser usercolumn=name passwdcolumn=password crypt=2 EOF
5、MySQL配置
mysql -hjconnhrdmgt82.mysql.rds.aliyuncs.com -uzabbix_1 -p -D operations
create database vpn;
#grant all on vpn.* to xxx@'%' identified by 'xxxxxx';
create table openvpnuser ( name char(20) NOT NULL, password char(128)default NULL, active int(10) NOT NULL DEFAULT 1, primary key (name) );
insert into openvpnuser (name,password)values('vpnuser',password('vpnpassword'));
#flush privileges;
6、启动openvpn
/etc/init.d/openvpn restart
服务端测试
testsaslauthd -u vpnuser -p vpnpassword -s openvpn 0:OK "Success."
windows客户端配置
1、客户端配置文件
cat > someone.ovpn << EOF client dev tun proto tcp remote 公网IP 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt #cert client.crt #key client.key #上面两个是配置客户端使用秘钥登录的证书 remote-cert-tls server comp-lzo verb 3 auth-user-pass #此参数后可接文件名,例如:auth.txt,文件中记录账号和密码需换行 EOF
2、下载服务端证书
下载ca.crt和someone.ovpn文件到本地
Iptables配置
*nat :PREROUTING ACCEPT [222:10664] :POSTROUTING ACCEPT [37944:2486906] :OUTPUT ACCEPT [37944:2486906] -A POSTROUTING -s 10.100.0.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT #以上是iptables的配置文件中需要加入的一条配置,可以配置下面的命令然后保存iptables信息到配置文件中 #iptables -t nat -A POSTROUTING -s10.100.0.0/255.255.255.0 -o eth0 -j MASQUERADE #iptables-save >/etc/sysconfig/iptables 将openvpn添加到开机启动项中 chkconfig --add openvpn chkconfig openvpn on
TIPS
Mar 10 17:05:15 jstwpz76bqary8 openvpn[27972]: PAM unableto dlopen(/lib/security/pam_mysql.so) Mar 10 17:05:15 jstwpz76bqary8 openvpn[27972]: PAM [error:/lib/security/pam_mysql.so: undefined symbol: pam_set_data]
/var/log/secure中若出现如上错误,请尝试使用低版本的openvpn编译出来的openvpn-auth-pam.so动态链接库文件
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/98799.html