Day06-02-OpenVpn
两点如何传输数据最安全方案1: 专线(成本高)方案2: 硬件设备3层路由器 , 硬件vpn设备 vpn virtual private network 虚拟专有网络 深信服VPN方案3: 公有云产品方案4: 商业产品方案5: 开源软件pptp (不推荐) 使用最简单,不是很稳定,依赖于网络设备的支持.OpenVPN 实现用户/运维/开发,访问网站内网.IpSECOpenSwan 用于实现两个局域网
·
Day06-02-OpenVpn
1. 加密隧道服务概述
- 两点如何传输数据最安全
- 方案1: 专线(成本高)
- 方案2: 硬件设备3层路由器 , 硬件vpn设备 vpn virtual private network 虚拟专有网络 深信服VPN
- 方案3: 公有云产品
- 方案4: 商业产品
- 方案5: 开源软件
- pptp (不推荐) 使用最简单,不是很稳定,依赖于网络设备的支持.
- OpenVPN 实现用户/运维/开发,访问网站内网.
- IpSEC
- OpenSwan 用于实现两个局域网内网互通.
2. 应用场景
- 运营:通过OpenVPN实现网站安全登录:(后台管理地址,设置为只能能通过vpn访问.)
- 开发:通过OpenVPN让开发与测试人员连接网站,进行开发测试(在家的时候)
- 运维:通过OpenVPN让各种用户(运维)连接网站内网服务器,或者是连接JMS
3. OpenVPN原理
4. OpenVPN服务端配置
4.1 环境准备
- m01 10.0.0.61
| 环境准备 | |
|---|---|
| m01 | openvpn server服务端 |
| db01 | 客户连接的内网服务器 非openvpn client客户端 |
| windows 笔记本 | openvpn 客户端 |
4.2 证书准备流程
- 创建CA证书
- server密钥
- client密钥
- OpenVPN服务端配置文件
1) 安装证书创建工具
# 01 openvpn 服务端安装
[root@m01 ~]# yum install -y openvpn easy-rsa
# 02 创建各种证书
rpm -ql easy-rsa
/usr/share/easy-rsa/3.0.8/easyrsa
2) 创建ca证书
### 01 充当权威机构 修改vars文件
mkdir -p /opt/easy-rsa
cp -a /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /opt/easy-rsa/vars
cat >/opt/easy-rsa/vars<<'EOF'
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "oldboylinux"
set_var EASYRSA_REQ_EMAIL "oldboy@qq.com"
set_var EASYRSA_NS_SUPPORT "yes"
EOF
# 创建var后 检查 权威机构信息
[root@oldboy-vpn-server ~]# cd /opt/easy-rsa/
[root@oldboy-vpn-server easy-rsa]# tree -F
.
├── easyrsa*
├── openssl-easyrsa.cnf
├── vars #var ca权威机构信息
└── x509-types/
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files
####02 充当权威机构 创建ca证书
######1.初始化,在当前目录创建PKI目录,用于存储证书
[root@m01 /opt/easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars #正在使用来自于vars
init-pki complete; you may now create a CA or requests. #初始化完成 显示你可以尝试创建 CA证书
Your newly created PKI dir is: /opt/easy-rsa/pki #初始化后的目录在 pki下面
######2.创建根证书,会提示设置密码,用于ca对之后生成的server和client证书签名时使用,其他可默认
## 温馨提示: 加上密码
[root@oldboy-vpn-server easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: #输入密码 并保存好 4-1023位
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
................................................+++
.................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:oldboylinux.cn #域名即可
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt
# 创建后生成 ca证书和私钥
[root@oldboy-vpn-server easy-rsa]# tree -F
.
├── easyrsa*
├── openssl-easyrsa.cnf
├── pki/
│ ├── ca.crt #ca证书
│ ├── certs_by_serial/
│ ├── index.txt
│ ├── index.txt.attr
│ ├── issued/
│ ├── openssl-easyrsa.cnf
│ ├── private/
│ │ └── ca.key #ca私钥
│ ├── renewed/
│ │ ├── certs_by_serial/
│ │ ├── private_by_serial/
│ │ └── reqs_by_serial/
│ ├── reqs/
│ ├── revoked/
│ │ ├── certs_by_serial/
│ │ ├── private_by_serial/
│ │ └── reqs_by_serial/
│ ├── safessl-easyrsa.cnf
│ └── serial
├── vars
└── x509-types/
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 18 files
3) 创建server证书
#####3.创建server端证书和私钥文件
##########01 创建请求文件及服务端私钥,nopass表示不加密私钥文件,其他可默认
[root@oldboy-vpn-server easy-rsa]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.........................+++
..................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-1758.a0Y5Ip/tmp.hi5Mvx'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req # server.req 用于创建证书(证书资料)
key: /opt/easy-rsa/pki/private/server.key # server私钥文件
##########02 给server端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码
[root@oldboy-vpn-server easy-rsa]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes # 输入yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-1786.Ssqla8/tmp.x85QNQ
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: # 输入上面CA证书的密码1234
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Oct 7 02:28:24 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/server.crt
[root@oldboy-vpn-server easy-rsa]# tree pki/
pki/
├── ca.crt #ca证书
├── certs_by_serial
│ └── C3CE655A9728D31607D8E799C4CBC2A9.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #server证书
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #server私钥
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
4) 创建client证书
#####4.创建client端证书和私钥文件
##########01.创建client端证书和私钥文件,nopass表示不加密私钥文件,其他可默认
[root@oldboy-vpn-server easy-rsa]# ./easyrsa gen-req client nopass
....
Common Name (eg: your user, host, or server name) [client]: # 直接回车
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client.req
key: /opt/easy-rsa/pki/private/client.key
##########02.给client端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码
[root@oldboy-vpn-server easy-rsa]# ./easyrsa sign client client
...
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes # 输入yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-1891.3B5Nsg/tmp.WD2SXS
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: # 输入证书密码1234
...
Certificate created at: /opt/easy-rsa/pki/issued/client.crt
### client 证书与私钥 创建完成
[root@oldboy-vpn-server easy-rsa]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ ├── A36F4FA5A9DCBEE03CDA94C635CF7A67.pem
│ └── C3CE655A9728D31607D8E799C4CBC2A9.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── client.crt
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ ├── client.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── client.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 18 files
5) 创建dh-pem算法文件和目录汇总
# 5.创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法
[root@oldboy-vpn-server easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................................................................................................................................................................................................................+...............................++*++*
DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem
#####5.目录汇总
[root@oldboy-vpn-server easy-rsa]# tree -F
.
├── easyrsa*
├── openssl-easyrsa.cnf
├── pki/
│ ├── ca.crt #ca证书
│ ├── certs_by_serial/
│ │ ├── A36F4FA5A9DCBEE03CDA94C635CF7A67.pem
│ │ └── C3CE655A9728D31607D8E799C4CBC2A9.pem
│ ├── dh.pem #df算法文件
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued/
│ │ ├── client.crt #client证书
│ │ └── server.crt #server证书
│ ├── openssl-easyrsa.cnf
│ ├── private/
│ │ ├── ca.key
│ │ ├── client.key #客户端私钥
│ │ └── server.key #服务端私钥
│ ├── renewed/
│ │ ├── certs_by_serial/
│ │ ├── private_by_serial/
│ │ └── reqs_by_serial/
│ ├── reqs/
│ │ ├── client.req
│ │ └── server.req
│ ├── revoked/
│ │ ├── certs_by_serial/
│ │ ├── private_by_serial/
│ │ └── reqs_by_serial/
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types/
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 30 files
6) 小结
-
创建vars文件(伪装ca机构),创建ca证书 build-ca
-
创建server证书和私钥
- gen-req server nopass
- sign server server
-
创建client证书和私钥
- gen-req client nopass
- sign client client
-
dh.pem 文件
4.3 服务端配置文件
# 服务端配置文件
# 配置文件中 各种路径默认相对于 /etc/openvpn
[root@oldboy-vpn-server ~]# tree -F /etc/openvpn/
/etc/openvpn/
├── client/
└── server/
2 directories, 0 files
[root@oldboy-vpn-server easy-rsa]# vim /etc/openvpn/server/server.conf
port 1194 #端口
proto udp #协议
dev tun #采用路由隧道模式tun
#/etc/openvpn目录
ca server/ca.crt #ca证书文件位置 /etc/openvpn /etc/opnevpn/server
server/ca.crt
dh dh.pem #加密算法文件, 交换证书 校验算法 /etc/openvpn
cert server/server.crt #服务端公钥名称 /etc/openvpn
key server/server.key #服务端私钥名称 /etc/openvpn
server 10.8.0.0 255.255.255.0 #给客户端分配地址池(ip地址范围),注意:不能和VPN服务器内网网段有相同
push "route 172.16.1.0 255.255.255.0" #客户端连接后,推送给客户端的路由规则
#客户端想访问172.16.1.0/24 网段联系openvpn服务端
#ifconfig-pool-persist ipp.txt #地址池记录文件位置 未来让openvpn 客户端固定ip地址使用的.
keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线
max-clients 100 #最多允许100个客户端连接
status /var/log/openvpn-status.log #日志记录位置openvpn状态
log /var/log/openvpn.log #openvpn日志记录位置
verb 3 #verbose日志输出级别 数字越大越详细 最多11(debug)
client-to-client #客户端与客户端之间支持通信
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys 对私钥进行缓存.
persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
duplicate-cn #客户端密钥(证书和私钥)是否可以重复
port 1194
proto udp
dev tun
#/etc/openvpn目录
ca ca.crt
dh dh.pem
cert server/server.crt
key server/server.key
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
#ifconfig-pool-persist ipp.txt
keepalive 10 120
max-clients 100
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
client-to-client
persist-key
persist-tun
duplicate-cn
# 复制证书及密钥
[root@oldboy-vpn-server easy-rsa]# cp /opt/easy-rsa/pki/ca.crt /opt/easy-rsa/pki/dh.pem /etc/openvpn/
[root@oldboy-vpn-server easy-rsa]# cp /opt/easy-rsa/pki/issued/server.crt /opt/easy-rsa/pki/private/server.key /etc/openvpn/server/
#修改systemctl 配置
[root@oldboy-vpn-server easy-rsa]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i/%i.conf #增加%i即可 修改这一行
#%i表示 server或 client
[Install]
WantedBy=multi-user.target
[root@oldboy-vpn-server easy-rsa]# systemctl daemon-reload
#启动
systemctl enable openvpn@server
systemctl start openvpn@server
#检查进程与端口
[root@oldboy-vpn-server easy-rsa]# systemctl enable --now openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@oldboy-vpn-server easy-rsa]# ps -ef|grep openvpn
root 2350 1 0 11:12 ? 00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config server/server.conf
root 2362 1558 0 11:12 pts/0 00:00:00 grep --color=auto openvpn
[root@oldboy-vpn-server easy-rsa]# ss -lntup|grep openvpn
udp UNCONN 0 0 *:1194 *:* users:(("openvpn",pid=2350,fd=5))
[root@oldboy-vpn-server easy-rsa]# ip a s tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::573e:f5ec:4c6d:85e5/64 scope link flags 800
valid_lft forever preferred_lft forever
4.4 客户端配置文件
1) windows
#windows
C:\Program Files\OpenVPN\config
oldboylinux.cn #目录
ca.crt #ca证书
client.crt #客户端证书
client.key #客户端私钥
client.ovpn #客户端配置文件 类似于client.conf .ovpn open vpn
lidaoav.com #目录
ca.crt
client.crt
client.key
client.ovpn #client.conf
#client.ovpn
root@openvpn-client ~]# cat /etc/openvpn/client.ovpn
client #指定当前VPN是客户端
dev tun #使用tun隧道传输协议
proto udp #使用udp协议传输数据
remote 10.0.0.61 1194 #openvpn服务器IP地址端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下非常有用
nobind #不绑定本地特定的端口号
ca ca.crt #指定CA证书的文件路径
cert client.crt #指定当前客户端的证书文件路径
key client.key #指定当前客户端的私钥文件路径
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
#客户端日志
MANAGEMENT:>STATE:1622455496,ASSIGN_IP,,10.8.0.6,,,, #客户端ip地址
C:\WINDOWS\system32\route.exe ADD 172.16.1.0 MASK 255.255.255.0 10.8.0.5 #客户端想要访问 172.16.1.0/24网段请走 10.8.0.5
Route addition via service succeeded
C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
#实现 客户访问网站的内网
route add -net 10.8.0.0/24 gw 172.16.1.61
tcpdump -i eth1 -nn icmp #
IP 10.8.0.6 > 172.16.1.51: ICMP echo request, id 1,seq 1094, length 40 # 请求
IP 172.16.1.51 > 10.8.0.6: ICMP echo reply, id 1,seq 1094, length 40 # 响应
课下测试 tcpdump抓取 http请求????
#抓包命令行显示
tcpdump -nnn -vvv -i eth0 -i eth1 -i tun0 icmp
#抓包保存文件
tcpdump -nnn -vvv -i eth0 -i eth1 -i tun0 icmp -w lidao.pcap
- 有去有回
- 有去无回(如何解决?😃
2) Linux
#client.ovpn
root@openvpn-client ~]# cat /etc/openvpn/client/clinet.conf
client #指定当前VPN是客户端
dev tun #使用tun隧道传输协议
proto udp #使用udp协议传输数据
remote 10.0.0.61 1194 #openvpn服务器IP地址端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下非常有用
nobind #不绑定本地特定的端口号
ca ca.crt #指定CA证书的文件路径
cert client/client.crt #指定当前客户端的证书文件路径
key client/client.key #指定当前客户端的私钥文件路径
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
#修改systemctl 配置
[root@m01 ~]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn Վʔcd /etc/openvpn/ --config %i/%i.conf #增加%i即可 修改这一行
#%i表示 server或 client
[Install]
WantedBy=multi-user.target
[root@m01 ~]# systemctl daemon-reload
#启动
systemctl enable openvpn@client
systemctl start openvpn@client
[root@web01 /etc/openvpn/client]# vim client.conf
[root@web01 /etc/openvpn/client]# systemctl enable openvpn@client
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@client.service to /usr/lib/systemd/system/openvpn@.service.
[root@web01 /etc/openvpn/client]# systemctl start openvpn@client
[root@web01 /etc/openvpn/client]# ss -lntup |grep openvpn
udp UNCONN 0 0 *:53641 *:* users:(("openvpn",pid=12573,fd=3))
[root@web01 /etc/openvpn/client]# ps -ef |grep open
root 12573 1 0 15:09 ? 00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config client/client.conf
root 12618 12387 0 15:10 pts/0 00:00:00 grep --color=auto open
[root@web01 /etc/openvpn/client]# ip a s tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP>mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80Վʦbc30:98ac:b3af:68/64 scope link flags 800
valid_lft forever preferred_lft forever
5. OpenVPN连接服务器内网
5.1 配置
- 有去无回(如何解决?😃
- 在db01 检查 抓包
#m01 开启内核转发
echo 'net.ipv4.ip_forward = 1' >>/etc/sysctl.conf
[root@m01 ~]# sysctl -p
net.ipv4.ip_forward = 1
- 添加 路由
#db01 添加路由规则
route add -net 10.8.0.0/24 gw 172.16.1.61
- 进行检查
ssh root@172.16.1.51
5.2 小结
-
opnevpn连接服务器局域网:
- 开启openvpn 服务端内核转发功能
- 在内网服务器上面配置路由规则(永久生效命令写入 /etc/rc.local )
-
解决方案01: 批量执行添加路由命令并永久生效
-
解决方案02:把openvpn服务器设置为 局域网的网关
-
解决方案03: 通过防火墙配置
6. OpenVPN加密/认证
| 用户分离 |
|---|
| 服务端 |
| ca.crt |
| server.key |
| server.crt |
| 客户端-张三 |
| ca.crt |
| zhangsan.key |
| zhangsan.crt |
| zhagnsan.ovpn |
| 客户端-托马斯-gao |
| ca.crt |
| tomcat-gao.key |
| tomcat-gao.crt |
| tomcat-gao.ovpn |
| 客户端-xuediankaifa-li |
#openvpn server
1.先配置服务端支持密码认证:
[root@web01 ~]# vim /etc/openvpn/server.conf
#服务端配置文件增加 3行
script-security 3
#允许使用自定义脚本
auth-user-pass-verify /etc/openvpn/check.sh via-env
#指定认证脚本
username-as-common-name
#用户密码登陆方式验证
2.编写/etc/openvpn/check.sh 脚本文件
[root@m01 ~]# cat /etc/openvpn/check.sh
#!/bin/sh
#desc: openvpn uesr check scripts
#author: by oldboylinux
###########################################################
PASSFILE="/etc/openvpn/openvpnfile" #密码文件 用户名 密码明文
LOG_FILE="/var/log/openvpn-password.log" #用户登录情况的日志
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}'${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist:username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password:username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
3. 设置权限
chmod 700 /etc/openvpn/check.sh
4. 创建用户
cat > /etc/openvpn/openvpnfile<<EOF
oldboy 1
lidao 1
EOF
5. 重启服务端
#openvpn 客户端
auth-user-pass
7. OpenVPN总结
- 通过openvpn连接某台机器,访问web
- 通过openvpn连接与访问网站内网(局域网)
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
35
0- 0
已为社区贡献7条内容
所有评论(0)