安装OpenVPN并基于MySQL认证

Sakura 发布于 2024-08-23 915 次阅读


AI 摘要

本文介绍了如何安装OpenVPN并基于MySQL进行认证。首先,安装必要的依赖项和Lib,并从源码中编译OpenVPN。接着,通过EasyRSA工具配置证书,包括初始化PKI、创建CA、服务器和客户端证书等。然后,创建OpenVPN服务器的配置文件,设置必要的参数,如IP地址、端口、证书路径等。接下来,配置iptables以允许流量并启用IPv4转发,确保网络正常运作。最后,启动OpenVPN服务并提供客户端配置示例,包括远程服务器信息和CA证书内容。

安装依赖

yum -y install gcc lzo-devel pam-devel epel-release

yum -y install libnl3-devel libcap-ng-devel openssl-devel lz4-devel
Plain text

基于源码的方式安装

wget https://swupdate.openvpn.org/community/releases/openvpn-2.6.12.tar.gz

tar xf openvpn-2.6.12.tar.gz

cd openvpn-2.6.12

./configure --prefix=/data/software/openvpn --disable-dco

make && make install
Plain text

配置证书

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.0/EasyRSA-3.2.0.tgz

tar xf EasyRSA-3.2.0.tgz

cd EasyRSA-3.2.0

./easyrsa --batch init-pki

./easyrsa --batch build-ca nopass

./easyrsa --batch --days=3650 build-server-full server nopass

./easyrsa --batch --days=3650 build-client-full client nopass

./easyrsa --batch --days=3650 gen-crl

./easyrsa gen-dh

/data/software/openvpn/sbin/openvpn --genkey secret tc.key

mkdir /data/software/openvpn/config

cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem tc.key pki/dh.pem pki/issued/client.crt pki/private/client.key /data/software/openvpn/config
Plain text

创建服务端配置文件

vim /data/software/openvpn/config/server.conf
local 192.168.31.132
port 1194
proto tcp
dev tun
ca /data/software/openvpn/config/ca.crt
cert /data/software/openvpn/config/server.crt
key /data/software/openvpn/config/server.key
dh /data/software/openvpn/config/dh.pem
auth SHA512
tls-crypt /data/software/openvpn/config/tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.0.0"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"
push "block-outside-dns"
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
verb 3
crl-verify /data/software/openvpn/config/crl.pem
# 客户端之间可以互通 也属于异地组建局域网的方法
client-to-client
topology subnet
# 指定 log 文件位置
log /data/software/openvpn/logs/server.log
log-append /data/software/openvpn/logs/server.log
status /data/software/openvpn/logs/status.log
Plain text

配置iptables及ipv4转发

# 添加防火墙规则
# 一定要先禁用firewalld
systemctl stop firewalld
systemctl disable firewalld
# 如下网段记得与server.conf 当中定义的网段保持一致
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE

iptables -L -t nat

iptables-save > /etc/sysconfig/iptables   # iptables 规则持久化保存

#启用地址转发
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p # 这一步一定得执行,否则不会立即生效。
Plain text

启动服务端

/data/software/openvpn/sbin/openvpn --daemon --config /data/software/openvpn/config/server.conf
Plain text

客户端配置

client.ovpn
client
dev tun
proto tcp
remote 192.168.31.132 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
# 取自ca.crt
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJAPA4BjXoUnEOMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMB4XDTI0MDgyMzAzNDkxNloXDTM0MDgyMTAzNDkxNlow
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQChO026wQKXzG3T6azeZmSasfNLvGefJ2B0ImpM6G2R+MoATr5F38x5
oPdxN+DF+9gQhqdFAEldklUQ1hIClM99D/mERYRa14DvBQ3zeegru/bsqF/w0/ro
XaScUj5qooG1KEK/Ln73TJjcF1fSKuHZ1RnXUOzT7B0rnkjw4v2It/hri8sAMgP6
Q5D5EtR3v9frH5Unn89pGgpTadWnQoy5CyFNNZpSFyQWIFE734+tLm5ohKHL6uxA
nfrbDwgYXCHt39N6DEAveNsAUwi4G9uDz2nu8n3NtP0donwpwk9P490FCpzw+X3F
zMP4sUSxqm7kkk9VTVZ39azWchk8bQLdAgMBAAGjgYUwgYIwDAYDVR0TBAUwAwEB
/zAdBgNVHQ4EFgQUDrQrerPKYSoDkHuqn2z9yO8lr90wRgYDVR0jBD8wPYAUDrQr
erPKYSoDkHuqn2z9yO8lr92hGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBggkA
8DgGNehScQ4wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAOeZSv0mNH
qjTlwswTGZyWEvsFTye7Oh6Phswh58/hAjgVrfwjG2MpapZqZyOCn4XdJdZGyOGe
ELMD+hn/FFA+UiLwK546AfIHXXBGKEK7mygufLMGA/KC4LNYYrt6VAaT/wWnF6uo
U8uhnuQIUm57zuxjPQEW06O3QzlpH3Rye/aBAa+zY9f9mI5OIBx1L53OCc0Lm3wT
NCRmYKuR69b9V2B9RfwvUsu8EcU9pSHqfL55tvBdz9JztXAcVtmE1zo5AZ+NbRdj
A1VrVwTI1P6tO9258zS/ObsDwy7J6mIkLKL5n4rytzfBzzUAh0NPzfmfNr4UWCAJ
xAfAWYO4ECfT
-----END CERTIFICATE-----
</ca>
# 取自client.crt
<cert>
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIQYoTZgNES7P0cMJGPiHZEEDANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNDA4MjMwMzQ5MjJaFw0zNDA4MjEw
MzQ5MjJaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMwiZVNH2lmRUijXcJD3jyASttVeRo2McnEd/69mLMZwcB8M2ql5
Q0BchnGq83qtX1DCSp1P3aIK8eJwt5IJ7LmtoGZDNkqqkle7RLpIQCPrOZBjpN8v
PFMxbJVZdWvUM0IMRS1nJDtGALgRei46I59SqbwKWeyAEgarmGZ8aIDIX020/901
CJh6np1SMIlwdGxvpNxSoAjdTXgQH5DdNxGoiTY901ZfzsmElliKtDKmmu7Qj2xM
99GF6VNzDa69DPuV0mPn4lllep1hwWnsZPzBjLWaLsXmcKyln1J+IB7FgUhpnqAD
9iqGSmcyqR0rGFfkwRkYVpn4WKE6A7QRcuMCAwEAAaOBlzCBlDAJBgNVHRMEAjAA
MB0GA1UdDgQWBBR1mnyeORx7lbJTtIRid9Hjruq0YTBGBgNVHSMEPzA9gBQOtCt6
s8phKgOQe6qfbP3I7yWv3aEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCCQDw
OAY16FJxDjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZI
hvcNAQELBQADggEBAGgRAf93LJtuqS+L2yfycxcTtzW7EdbBqt7Q8hnsCYQ3Jz99
FvbhH0+yhuKRAoEiLT9+ggKf09O5CDnP/RhqW2QKZo2npZ/jvt6z1akn2EyUtGcm
u2XQGvWa+pDtu/p9u6UXHCriXQM08Sl6UPFmVkSQnn7AGsin1o6hxSUXLI9jR/Pk
Qvq0AHAYuLbwAGsegnBD4mJxZG2FtR5YCTT4eLX/NNrezk/mEy7SjPcjDgRhqccZ
lkDW1+bA2jI87czB5VkGtUDs0PLNgRdkx96EgtFEJl8Goi87UTKvUSRJF4BpZnD/
LrhQCw42Jfrwpv2v18OSiQ0B4sigjQ5RbZj0xhY=
-----END CERTIFICATE-----
</cert>
# 取自client.key
<key>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDMImVTR9pZkVIo
13CQ948gErbVXkaNjHJxHf+vZizGcHAfDNqpeUNAXIZxqvN6rV9QwkqdT92iCvHi
cLeSCey5raBmQzZKqpJXu0S6SEAj6zmQY6TfLzxTMWyVWXVr1DNCDEUtZyQ7RgC4
EXouOiOfUqm8ClnsgBIGq5hmfGiAyF9NtP/dNQiYep6dUjCJcHRsb6TcUqAI3U14
EB+Q3TcRqIk2PdNWX87JhJZYirQyppru0I9sTPfRhelTcw2uvQz7ldJj5+JZZXqd
YcFp7GT8wYy1mi7F5nCspZ9SfiAexYFIaZ6gA/YqhkpnMqkdKxhX5MEZGFaZ+Fih
OgO0EXLjAgMBAAECggEAPpHsbPKBQyMAA/TFVCoNfM8/q3cSOSDrkzCWxrSS1OBx
/ZJ7E6dPrdKugvjbWKb7qE1lgYKRdLHWIopaOjFAlklZ+P5xDcHqyWllT5QF1Pys
0E06pA5ed0GW/tBE5aBNddk8+wW6XVC/t6vjv3eio5s626Bwn8VBwTmnpQJNJeu4
l44lr0pdN3x383Er9kI565iJrfqq2t7MTzWJPhisX4ExFnW6Z4lJuhzZPa+eWolq
IGZctgCoHXo7ohTCUt8MBA+wVT7zQJ5pTDnmGHfEu6Q0ay440M82M9jT79QJqrUR
JzIXI6DxtyRnLVnQYYZS8IMPo93FG799QKZ6ZKubAQKBgQD0SNX4X29DwDTr53bE
EqARHRu48KAA5tcElr1ks2WRGf+Y/vpn+Zyx6I3uAPYOMbTFF5lROvk+AJXva21Q
Zopow1imTawwuEjO3kKwoL606LfOKD31owZYcD1ZrjhbaBbXAwdw43TXWRjl4f7o
7qoqLvsAyUfxihdia7RCJAXB0QKBgQDV7J9yXnkLRQhutb2pVhxW5kladHYNRZWj
ilXIYNu7rkkyy2nyLU7FKD7l/YvuXJoZAOhejr+DMajMyfEWzNGzKrvxmxXC93GS
bdNJPJ1cOxLRN5Xgc2qow5t0U7syiAEyUmRXQoWsOTzinKNqmhQxdmvw9M3vfiGw
KqsIEqvCcwKBgQCXwTuzjU3or9nwhx1f1xY7K3MSY+FyTfVbc216xnudNaJ0YEod
F5MBbq/lIBG7ZaOgIPXs4Y7+toxubLU/EkR/qoNC5NPIfGM2qBqT8XgnmL6+wn8j
PsBtZmSmdrWqCzLNJaOUvKjUMxRlkwyxlbp+dCsYJPKdmaTHTpNv10MAUQKBgQCL
rWdifqrcH+PknYfL1CzG1LAafqZB/ig5Uu612gA+6AplPwnbFZg0BRYkh0thhFcd
cklGzD/hgoArzsM61tso+AMlOtSXq4cdS9ZEIG7CtNORhZC3r8R5ktaiurUkxka5
u7BGhWnQTMMjV5Ef3qDGtwK9nqoD8MBATWvE5qP9XwKBgQDXOSAc407q+Vv9dzaK
TImtkWCKqhw73q5MeqLRhJzvwiSsyGOIct8q/kZdvABAimJPInno+2l6DdShDqru
8UiRlDRKhdZ/AKmS52aibgDpyigfesdonvw+Vq1HA9e9kMoDxbteKow5hQjATice
zT9gPIdI74vNKH/pWsS+StQjVw==
-----END PRIVATE KEY-----
</key>
# 取自tc.key
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
accdfda027240d6c3969bc97b54eb25b
6633b5a25f9dd82418181ae44f32a7ee
03044e08bde398928ad873415fd8f071
c7d383a5752f61196caf2e48fc08dc47
fb8b242c3f26b44f063e7938149d72eb
8346647b2de610e3a7f2043acc89ec60
24fe13685d5b5250df9c551942b08dd7
9f74d05e7a2d27fe1514ab14dcb6ff92
7e121a83f14ad3a6d68a12614eb3054a
8f591ef9fdbbb23b7e6d6a2e05a05b24
09bb9105e43a11f5df4f30e04432eaa2
c79a82b4728e9abef709d5296fc5dead
ee65a4585bc24bbca2647568467e3491
2302936f6e060a194ac4440b16ae3cc0
dfa28119a4653ba993bb9a749c85678f
70b173796fd54e07f34982305a9dda4e
-----END OpenVPN Static key V1-----
</tls-crypt>
Plain text

基于MySQL实现认证

# 准备数据库
CREATE DATABASE IF NOT EXISTS openvpn DEFAULT CHARSET utf8;

grant all on openvpn.* to openvpn@'localhost' identified by 'openvpn123456';

use openvpn;

# 用户表
create table user(name char(100)not null,password char(255)default null,active int(10)not null default 1,primary key(name));

# 登陆日志表
create table login_log(msg char (254),user char(100),pid char(100),host char(100),rhost char(100),time char(100));

# 创建用户
insert into user(name,password) values ('admin',password('admin'));

# 安装认证软件
rpm -Uvh http://www.nosuchhost.net/~cheese/fedora/packages/epel-7/x86_64/cheese-release-7-1.noarch.rpm

yum -y install pam_krb5 pam pam_devel gcc gcc-c++ cyrus-sasl autoconf

systemctl enable saslauthd

systemctl restart saslauthd

ls /usr/lib64/security/pam_mysql.so

rpm -ivh http://repo.iotti.biz/CentOS/7/x86_64/pam_mysql-0.8.1-0.22.el7.lux.x86_64.rpm

# 配置认证文件
cat > /etc/pam.d/openvpn_mysql << EOF
auth sufficient pam_mysql.so user=openvpn passwd=openvpn123456 host=localhost db=openvpn table=user usercolumn=name passwdcolumn=password [where=vpnuser.active=1] sqllog=0 crypt=2 sqllog=true logtable=login_log logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=time
account required pam_mysql.so user=openvpn passwd=openvpn123456 host=localhost db=openvpn table=user usercolumn=name passwdcolumn=password [where=vpnuser.active=1] sqllog=0 crypt=2 sqllog=true logtable=login_log logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=time
EOF

# 命令行验证 返回 0: OK "Success." 则说明认证成功
testsaslauthd -u admin -p admin -s openvpn_mysql

# 配置OpenVPN依赖库 到openvpn源码中复制
cp openvpn-2.6.12/src/plugins/auth-pam/.libs/openvpn-plugin-auth-pam.so /data/software/openvpn/config/
server.conf配置中添加
# 基于mysql进行认证,如不需要可注释掉,注意最后的openvpn_mysql是与后边配置文件名称相呼应的
plugin      /data/software/openvpn/config/openvpn-plugin-auth-pam.so openvpn_mysql

# 客户端配置文件中添加
cipher AES-256-CBC
auth-user-pass
auth-nocache
script-security 3
key-direction 1
Plain text