openvpn安装使用(使用证书和密码认证配置)

Centos6.5安装openvpncreatebyymc0232014-11-101.安装yum-priorities插件,保证优先级yuminstallyum-priorities2.安装rpmforge://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm选择性安装,64位用64位,32位用686rpm-ivh或rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm3.安装epel://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmrpm-ivh或设置/etc/yum.repos.d/rpmforge.repo，添加顺序指令priority=N（N从1至99，1优先级最高），对[base]、[updates]、[addons]、[extras]设置priority=1，示例：以上安装完成rpmforge后,可以从rpmforge中获得openvpn的安装文件yuminstallopenvpn4.把cp-R/usr/share/doc/openvpn-*/easy-rsa/etc/openvpncd/etc/openvpn/easy-rsa/2.0/chmod+x*注:上述复制路径不同版本的具体路径不一样,请自行更改5.然后使用easy-rsa的脚本产生证书,其方法如下:ln-sopenssl-1.0.0.cnfopenssl.cnf.vars./clean-all./build-caserver./build-key-serverserver./build-keyclient./build-dh6.配置server.conf,首先要创建一个配置文件cp-arp/usr/share/doc/openvpn/openvpn-2.3.2/sample/sample-config-files/server.conf/etc/openvpn/或,因具体路径不一样cp-arp/usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf/etc/openvpnport1194protoudpdevtunca/etc/openvpn/easy-rsa/2.0/keys/ca.crtcert/etc/openvpn/easy-rsa/2.0/keys/server.crtkey/etc/openvpn/easy-rsa/2.0/keys/server.keydh/etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver10.1.1.0255.255.255.0pushredirect-gatewaydef1bypass-dhcppushdhcp-optionDNS8.8.8.8log/var/log/openvpn.logkeepalive10120verb3client-to-clientcomp-lzopersist-keypersist-tun以下配置需在服务端开启nat功能,让vpn用户以本机IP的身份转发数据出去客户端拨入OpenVPN后，默认网关会指向OpenVPN服务器，为了能使客户端可以上网，需要在服务端开启nat功能首先，打开ipforward功能sed-i'/net.ipv4.ip_forward/s/0/1/g'/etc/sysctl.confsysctl-wnet.ipv4.ip_forward=1然后，配置iptablessnatiptables-tnat-APOSTROUTING-s10.1.1.0/255.255.255.0-jSNAT--to-sourceSERVER_IPiptables-tnat-nL注:将SERVER_IP替换为服务器的出口ipOpenVPN客户端配置[编辑]好了服务端准备就绪，接下来开始客户端配置对于Windows客户端到下载gui版的OpenVPN，按照提示安装完成后，将Linux服务端使用easy-rsa产生的客户端证书、私钥和ca证书下载到本地config中。/etc/openvpn/easy-rsa/2.0/keys/ca.crt#ca证书/etc/openvpn/easy-rsa/2.0/keys/client.crt#客户端证书/etc/openvpn/easy-rsa/2.0/keys/client.key#客户端私钥将这些文件下载到D:\ProgramFiles\OpenVPN\config下。编辑客户端OpenVPN配置文件client.ovpn，内容如下：clientdevtunprotoudpremoteSERVER_IP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.crtcertclient.crtkeyclient.keycomp-lzoverb3redirect-gatewaydef1route-methodexeroute-delay2将SERVER_IP写成OpenVPN服务器的ip，然后打开OpenVPN的GUI，点击连接，完成OpenVPN拨入扩展配置[编辑]不使用证书,使用密码认证Server端server.conf添加4行配置:script-security3auth-user-pass-verify/etc/openvpn/checkpsw.shvia-env#使用checksw.sh验证本地明文密码client-cert-not-required#客户端不要求证书认证,如果同时使用证书与账号,请注销上面的配置username-ascommon-name#用客户端的username作为校验注:请在服务端touch密码文件psw-filetouchpsw-filechomod400psw-filechownnobody.nobodypsw-file格式如下:catpsw-filenamepasswdAa123456Cc445dfa客户端Client.ovpn配置文件添加如下代码clientauth-user-passscript-security3因openvpn.se无法打开,现提供checkpsw.sh代码如下:chmode+xcheckpsw.sh#!/bin/sh#ThisscriptwillauthenticateOpenVPNusersagainstaplaintextfile.Thepassfileshouldsimplycontain.onerowperuserwiththeusernamefirstfollowedby.oneormorespace(s)ortab(s)andthenthepassword.PASSFILE=/etc/openvpn/psw-fileLOG_FILE=/var/log/openvpn-password.logTIME_STAMP=`date+%Y-%m-%d%T`if[!-r${PASSFILE}];thenecho${TIME_STAMP}:Couldnotopenpasswordfile\${PASSFILE}\forreading.${LOG_FILE}exit1fiCORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=='${username}'{print$2;exit}'${PASSFILE}`if[${CORRECT_PASSWORD}=];thenecho${TIME_STAMP}:Userdoesnotexist:username=\${username}\,password=\${password}\.${LOG_FILE}exit1fiif[${password}=${CORRECT_PASSWORD}];thenecho${TIME_STAMP}:Successfulauthentication:username=\${username}\.${LOG_FILE}exit0elseecho${TIME_STAMP}:Incorrectpassword:username=\${username}\,password=\${password}\.${LOG_FILE}exit1fi