龙空技术网

配置用户名和密码实现OpenVPN权限认证

IT生涯 1702

前言:

现在兄弟们对“centos的普通账户名如何更改”大概比较着重,各位老铁们都需要剖析一些“centos的普通账户名如何更改”的相关资讯。那么小编也在网上搜集了一些对于“centos的普通账户名如何更改””的相关内容,希望看官们能喜欢,同学们一起来了解一下吧!

安装部署:

CentOS 6.5

软件FQ官网下载

同步系统时间

yum install chrony -yservice chronyd start && chronyc sources && chkconfig chronyd on或yum install ntpdate -ycrontab添加*/1 * * * * /usr/sbin/ntpdate 0.rhel.pool.ntp.org > /dev/null 2>&1service crond restart

安装依赖包

yum install epel-release -y && echo "sslverify=false">>/etc/yum.confyum install openssl openssl-devel lzo lzo-devel pam pam-devel pam_mysql automake pkgconfig gcc gcc-c++

安装openvpn

cd /usr/local/src/tar -zxvf openvpn-2.4.4.tar.gzcd openvpn-2.4.4./configure --prefix=/opt/openvpn make && make installcp -a sample/sample-config-files/server.conf /opt/openvpn/ #最好放在/opt/openvpn/下cp -a distro/rpm/openvpn.init.d.rhel /etc/init.d/openvpn #创建启动脚本ln -s /opt/openvpn/sbin/openvpn /usr/sbin/openvpn #启动脚本中会用到,也可以不执行此命令,直接在启动脚本中修改vi /etc/init.d/openvpn #在85行,修改为:work=/opt/openvpncd /opt/openvpn/ && mv server.conf server.conf.bakvi server.conf #修改配置文件; ';'为注释port 1195				#使用1195端口proto tcp				#使用tcp传输模式dev tun				#使用tun虚拟网卡设备(还有一种是Tap)ca keys/ca.crt			#指定server端证书路径cert keys/server.crt		#指定server端证书路径key keys/server.key		#Thisfile should be kept secretdh keys/dh2048.pemtls-auth keys/ta.key 0cipher AES-256-CBCserver 10.8.0.0 255.255.255.0		#openvpn使用的网络push "route 10.8.0.0 255.255.0.0"	#添加openvpn路由#push "route 0.0.0.0 0.0.0.0" ifconfig-pool-persist ipp.txt			#客户端连入后使用的IP地址池push "dhcp-option DNS 61.134.1.4"		#客户端连入后使用的DNSpush "dhcp-option DNS 223.5.5.5"keepalive 10 120					#保持VPN会话comp-lzo							#开启Lzo数据压缩user nobodygroup nobodyauth-user-pass-verify /opt/openvpn/checkpsw.sh via-envscript-security 3client-cert-not-required#不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行username-as-common-namepersist-keypersist-tunverb 3link-mtu 1500					#设置MTU连接数值status logs/openvpn-status.loglog logs/openvpn.loglog-append logs/openvpn.log mkdir logs #创建日志目录mkdir keys #创建key目录[root@vpn ~]# openvpn --help | grep -A 5 script-security--script-security level mode : mode='execve' (default) or 'system', level=0 -- strictly no calling of external programs1 -- (default) only call built-ins such as ifconfig2 -- allow calling of built-ins and scripts3 -- allow password to be passed to scripts via env--shaper n : Restrict output to peer to n bytes per second.

安装easy-rsa,用来生成证书和密钥

cd /usr/local/src/wget  -zxvf easy-rsa-2.2.0_master.tar.gzcp -a easy-rsa-2.2.0_master/easy-rsa /opt/openvpn/cd /opt/openvpn/easy-rsa/2.0/mv vars vars.bakvi vars #修改配置文件export EASY_RSA="`pwd`"export OPENSSL="openssl"export PKCS11TOOL="pkcs11-tool"export GREP="grep"export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`export KEY_DIR="$EASY_RSA/keys"echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIRexport PKCS11_MODULE_PATH="dummy"export PKCS11_PIN="dummy"export KEY_SIZE=2048 #修改为2048export CA_EXPIRE=3650export KEY_EXPIRE=3650export KEY_COUNTRY="CN" #以下根据自己情况修改export KEY_PROVINCE="ShaanXi"export KEY_CITY="XA"export KEY_ORG="yjz"export KEY_EMAIL="xx@yjz.cn"export KEY_CN=yjzexport KEY_NAME=yjzexport KEY_OU=yjz ln -s openssl-1.0.0.cnf openssl.cnfsource vars #全局变量##生成证书,以下命令全部一直回车./clean-all #清空所有证书(keys目录下)./build-ca #生成服务器ca证书./build-key-server server#生成服务端证书./build-dh #生成DH验证文件(dh2048.pem)openvpn --genkey --secret ta.key #降低DDoS风险./build-key client#生成客户端证书(建议以使用者命名)

设置外网访问

vim /etc/sysctl.conf #将net.ipv4.ip_forward = 0 改为 1sysctl -p配置nat表将vpn网段IP转发到server内网:很重要iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #注意接口(eth0)是内网的接口,其它选项不要修改iptables -A INPUT -p TCP --dport 1195 -j ACCEPT #开启防火墙1195端口service iptables restart #POSTROUTING需要保存并重启服务才能生效chkconfig iptables on

启动服务

#拷贝证书到/opt/openvpn/keys目录下cd /opt/openvpn/easy-rsa/2.0/keys/ cp -a ca.crt server.crt dh2048.pem server.key /opt/openvpn/keys cd .. && cp ta.key /opt/openvpn/keys /etc/init.d/openvpn start chkconfig openvpn on

配置脚本+密码文件控制方式

下载脚本,根据具体配置修改红色部分

 checkpsw.sh (C) 2004 Mathias Sundman ## This script will authenticate OpenVPN users against# a plain text file. The passfile should simply contain# one row per user with the username first followed by# one or more space(s) or tab(s) and then the password.PASSFILE="/opt/openvpn/psw-file"LOG_FILE="/opt/openvpn/logs/openvpn-password.log"TIME_STAMP=`date "+%Y-%m-%d %T"`###########################################################if [ ! -r "${PASSFILE}" ]; thenecho "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}exit 1fiCORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`if [ "${CORRECT_PASSWORD}" = "" ]; thenecho "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}exit 1fiif [ "${password}" = "${CORRECT_PASSWORD}" ]; thenecho "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}exit 0fiecho "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}exit 1 touch /opt/openvpn/logs/openvpn-password.logchown nobody:nobody /opt/openvpn/logs/openvpn-password.log 密码存放方式在psw-file里按”用户名[空格或者tab]密码“这种规则方式存放touch /opt/openvpn/logs/psw-filechown nobody:nobody /opt/openvpn/psw-filecat /opt/openvpn/psw-filetest testipad ipad

windows客户端配置

下载:openvpn-install-2.4.4-I601.exe 点击安装,一直next,默认目录安装即可 一般会安装到 C:/Program Files/OpenVPN/ 目录下创建client.ovpn文件: client dev tun proto tcp-client remote x.x.x.x 1195 #vpn服务端ip,这里为内网对应的公网IP,路由器映射至内网主机remote-randomresolv-retry infinitenobindpersist-key persist-tunca ca.crtauth-user-passauth-nocacheremote-cert-tls servertls-auth ta.key 1cipher AES-256-CBC #保持服务端和客户端一致comp-lzostatus openvpn-status.log将client.ovpn文件放到C:/Program Files/OpenVPN/config目录下

从VPN服务端下载ca.crt,ta.key证书 将ca.crt,ta.key证书放到C:/Program Files/OpenVPN/config目录下

点击桌面openvpn图标,输入相应的用户名密码即可

标签: #centos的普通账户名如何更改 #centos用户账户设置 #centos验证用户名和密码