一二三四五，上山打老鼠

openvpn脚本认证

发表于 2024-04-07 | 阅读 1268 | 分类于系统运维 |

server.conf 配置文件

local 192.168.80.253
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
max-routes 1000000
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
script-security 3
client-cert-not-required

用户验证脚本checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate Openvpn users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################

if [ ! -r "${PASSFILE}" ]; then
        echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
        exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
        echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
        exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
        echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
        exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

创建用户名密码文件

cp /root/checkpsw.sh /etc/openvpn/
chmod +x /etc/openvpn/checkpsw.sh

# 给脚本添加执行权限，并将脚本拷贝到/etc/server.conf中指定的位置

mkdir -p /var/log/openvpn
touch /var/log/openvpn/openvpn-password.log

# 创建目录以及日志文件，用来记录用户名密码认证产生的日志

echo "test 123456" >>/etc/openvpn/psw-file
chmod 400 /etc/openvpn/psw-file

# 创建用户名密码文件，并修改权限

[root@openvpn ~]# ll /etc/openvpn/psw-file 
-r-------- 1 root root 12 Sep 21 02:35 /etc/openvpn/psw-file
[root@openvpn ~]# cat /etc/openvpn/psw-file 
test 123456

客户端配置文件

client
dev tun
proto tcp
remote 22.118 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJAPS/9Ra9NSXxMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMB4XDTI0MDQwNzAzMTUwOVoXDTM0MDQwNTAzMTUwOVow
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDBO9AObFz3FRDqq34Ha5KJuhWbc4/0B3lCytWbguwaRJbGnnkg2W2n
hf7y8PnUWym2OCXihmqgOdjUaAFtpjGRYcjs2WYUmy99H7zIRrXk6BdTww2tOmog
MSPPOkKw52xhIeak4on74zEg8FplIsz86uLyZyRNp/+p1ce0uGlOxNS8TxXzIm74
k4py/aiDfzQy+P0Zca6xmNcLtyk9TvhgMkL0zV1LbYUs9S6JQL2srWLNrkruDl00
o6OKMD2AFGrI7QjndihzX+9Brfiygmpx
DUfToRqkGNhHwuaQmfIkc/oO6eLIbVXm0g0h4HkemMhSCD
CpHyUxw6tWk5qIPCOrPktpo2LLjO6E7TVYdjHk865fRo+C4Ja9F/pdmiwUC55lcY
CMewLtSk6qwNQdOzmHxH23u1Gm9A105sY1rOeGjf+ggl8jKrMsffSv0o8OOMpSo4
PcWgIFCBK3Gj+JEQQaXJ4HtHlsbJEla36h5K8IvhqOLIl6Y1TOHPAoBqsh+ct0cR
UmNptjVdOkLKtXbCG/UVDQJPwz5jufe6ywrScq0omZGUTe6EfJj99pc0BoT7Z1hp
usu3N/htTi2h
-----END CERTIFICATE-----
</ca>
ns-cert-type server
verb 3
auth-user-pass
status openvpn-status.log
log-append openvpn.log
comp-lzo

觉得不错，支持一下！

发表评论

共 0 条评论

暂无评论