openvpn搭建以及证书加密和用户名密码双重认证

一般只有路由器才支持的NAT穿越，但Openvpn也支持，在nat环境下使用openvpn，只需要一个在路由器上做一个端口映射即可。Openvpn还支持使证书加密数据传输，在安全性上远胜于PPTP VPN，不过openvpn客户端登录只需要双击就可以连接服务器端，让人觉得安全性低，可以配置openvpn使用证书和用户名密码双重验证登录，注销用户账号的时候，只要删除密码文件中的记录即可。同样地，增添用户的时候，可以使用相同的数字证书，只需添加用户名密码记录即可。

 

SRE实战 互联网时代守护先锋，助力企业售后服务体系运筹帷幄！一键直达领取阿里云限量特价优惠。

一、在开始之前请先配置配置好openvpn服务器和客户端：

环境：CentOS Linux release 7.3.1611 (Core) + OpenVPN 2.4.3 x86_64

#设置本地时间同步：删除其他时间服务节点
yum install -y ntp
sed -i "s/server 0.centos.pool.ntp.org iburst/server    cn.pool.ntp.org    iburst/" /etc/ntp.conf
sed -i "22,24d" /etc/ntp.conf
systemctl disable chronyd.service
systemctl stop chronyd.service
systemctl enable ntpd.service
systemctl start ntpd.service

ntpdate asia.pool.ntp.org && hwclock -w
#ntpdate time.windows.com && hwclock -w
#连网更新时间，如果成功，将系统时间，写入BOIS
#hwclock -w 或 hwclock --systohc
#可以做到crontab里

#OpenVPN server 搭建部署
yum install epel-release
yum install openvpn lzo-devel easy-rsa -y
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
cp -R /usr/share/easy-rsa/ /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0/ 

#egrep -v '^$|^#' vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="gd"
export KEY_CITY="sz"
export KEY_ORG="company"
export KEY_EMAIL="email@company.com"
export KEY_OU="company"
export KEY_NAME="server"

source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key client

#egrep -v '^;|^#|^$' /etc/openvpn/server.conf
local 192.168.1.254
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.253"
push "dhcp-option DNS 114.114.114.114"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
verb 3
mute 20
#检查是否安装了iptables
service iptables status
#安装iptables
yum install -y iptables
#升级iptables（安装的最新版本则不需要）
yum update iptables 
#安装iptables-services
yum install iptables-services
#禁用/停止自带的firewalld服务
systemctl stop firewalld
systemctl mask firewalld

#设置iptables
iptables -L -n
#先允许所有,不然有可能会杯具
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -t nat -A POSTROUTING -o ens160 -j SNAT --to 192.168.1.254
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i ens160 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
iptables -A FORWARD -i tun0 -o ens160 -j ACCEPT
iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT  
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
service iptables save
service iptables restart

二、客户端配置：

#client.ovpn
client
dev tun
proto udp
remote 192.168.1.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

将.ca、.crt、.key三个文件合并到主配置文件中
将主配置文件中的下面三行删除
ca ca.crt
cert test1.crt
key test1.key

在配置文件中添加
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
将.ca里的内容复制到<ca> </ca>中
将.crt、.key都复制到相应的标签中
最后在配置文件中添加：
auth-user-pass

 

三、修改openvpn服务主配置文件，添加如下内容，代表需要证书和用户名密码双重验证登录

script-security 2 # Allow calling of built-in executables and user-defined scripts
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-file

 

四、添加账户密码认证脚本：

cat /etc/openvpn/checkpsw.sh
#!/bin/sh  
###########################################################  
# This script will authenticate OpenVPN users against  
# a plain text file. The passfile should simply contain  
# one row per user with the username first followed by  
# one colon(:) and then the password.  
 
PASSFILE="/etc/openvpn/pass_file" 
LOG_FILE="/var/log/openvpn-password.log" 
TIME_STAMP=`date "+%F %T"`  
 
###########################################################  
username=`head  -1  $1`
password=`tail  -1  $1`

if [ ! -r "${PASSFILE}" ]; then  
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>${LOG_FILE}  
  exit 1  
fi  

CORRECT_PASSWORD=`awk -F ":" '!/^;/&&!/^#/&&\$1=="'${username}'"{print $2;exit}' ${PASSFILE}`  

if [ "${CORRECT_PASSWORD}" = "" ]; then   
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password= \"${password}\"." >>${LOG_FILE}  
  exit 1  
fi  

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then   
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}  
  exit 0  
fi  

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}  
exit 1

 

五、准备用户名和密码认证文件，用户名和密码用空格隔开，同时确保openvpn启动用户可读取该文件：

# cat pass_file   
test1:123456
test2:12345678
 
# chmod 400 pass_file  
# chown nobody.nobody pass_file

 

扫码关注我们

微信号：SRE实战

拒绝背锅 运筹帷幄