工作需要建个vpn,便于远程到内网环境来开发,内部设备也好维护。使用centos6自带的openvpn rpm包即可。
# yum install openvpn
# cd /etc/openvpn
# cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf ./
# mkdir -p easy-rsa/keys
# cd easy-rsa/
# cp /usr/share/openvpn/easy-rsa/2.0/* ./
# source ./vars
# ./clean-all
建立公用证书
# ./build-ca
建立服务器的私key
# ./build-key-server dev05
# ./build-dh
如果client要使用证书方式(非用户名密码)登录,建立client证书
# ./build-key wp-client
编辑openvpn server配置文件
# vim /etc/openvpn/server.conf
监听openvpn端口
port 1989
使用tcp or UDP,前者稳定
proto tcp
使用的设备
dev tap
证书key之类的,上面的操作建立的
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/dev05.crt
key /etc/openvpn/easy-rsa/keys/dev05.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
允许执行外部脚本(openvpn2.1以上默认禁止执行外部脚本,这个很重要,让我纠结了很久,用户名密码验证的脚本需要这个)
script-security 3
是否允许一个用户同时登录多个session
duplicate-cn
验证方式(使用外部shell脚本验证用户密码)
auth-user-pass-verify /etc/openvpn/checkpw.sh via-env
client-cert-not-required
username-as-common-name
这个是用户名密码验证脚本
[root@dev05 openvpn]# more checkpw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE=”/etc/openvpn/pass”
LOG_FILE=”/etc/openvpn/openvpn-password.log”
TIME_STAMP=`date “+%Y-%m-%d %T”`
###########################################################
if [ ! -r “${PASSFILE}” ]; then
echo “${TIME_STAMP}: Could not open password file \”${PASSFILE}\” for reading.” >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk ‘!/^;/&&!/^#/&&$1==”‘${username}’”{print $2;exit}’ ${PASSFILE}`
if [ “${CORRECT_PASSWORD}” = “” ]; then
echo “${TIME_STAMP}: User does not exist: username=\”${username}\”, password=\”${password}\”.” >> ${LOG_FILE}
exit 1
fi
if [ “${password}” = “${CORRECT_PASSWORD}” ]; then
echo “${TIME_STAMP}: Successful authentication: username=\”${username}\”.” >> ${LOG_FILE}
exit 0
fi
echo “${TIME_STAMP}: Incorrect password: username=\”${username}\”, password=\”${password}\”.” >> ${LOG_FILE}
exit 1
最后用iptables加一条NAT
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT –to-source 172.16.0.5
—————————————————————————————-
[root@dev05 openvpn]# more pass
wp1998 xxxxxxx
注意:中间是tab
—————————————————————————————-
客户端的配置 wp-client.ovpn
dev tap
proto tcp
ca ca.crt
如果使用证书登录就打开下面这两个,当然要下载服务器生成的
# cert wp-client.crt
# key wp-client.key
使用用户名密码需要,证书登录不需要这个
auth-user-pass