OpenVPN server verified by account and password

OpenVPN server verified by account and password

Environment
Server: CentOS 6.7 32-bit
Client: Windows XP

Server Configuration
# Disable SELinux
Sed-I '/^ SELINUX \ B/s/=. */= disabled/'/etc/selinux/config
Setenforce 0

# Install mysql-server
Yum-y install mysql-server

# Start the mysqld service
Service mysqld start

# Initialize the mysql administrator password
Mysqladmin-uroot password RedHat

# Create a radius Database
Mysqladmin-uroot-predhat create radius

# Install radius and related plug-ins
Yum-y install freeradius-mysql freeradius-utils

# Edit the/etc/raddb/radiusd. conf file
Sed-I '700s/# // '/etc/raddb/radiusd. conf

# Edit the/etc/raddb/sites-enabled/default file
Sed-I '170s/^/#/; 177 s // # //; 406 s /#//; 454 s/# // '/etc/raddb/sites-enabled/default

# Import the data structure to the radius Database
For file in/etc/raddb/SQL/mysql/*. SQL; do mysql-uroot-predhat radius <$ file; done

# Create a user whose username and password are both test Users
Mysql-uroot-predhat radius-e "insert into radcheck (username, attribute, value) values ('test', 'Password', 'test ')"

# Start the radiusd service and set it to boot
Service radiusd start
Chkconfig radiusd on

# Test (if "Access-Accept" is displayed, the configuration is successful)
Radtest test 127.1 0 testing123

# Install the EPEL source (the default yum source does not have openvpn and easy-rsa software packages)
Rpm-ivh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm

# Install openvpn and easy-rsa software packages
Yum-y install openvpn easy-rsa

# Switch to the/usr/share/easy-rsa/2.0/directory
Cd/usr/share/easy-rsa/2.0/
# Initializing Environment Variables
Source vars
# Clear all certificate-Related Files
./Clean-all
# Generate CA-related files (Press enter all the way)
./Build-ca
# Generate server-related files (Press enter all the way until you are prompted to enter y/n, enter y and press ENTER twice)
./Build-key-server
# Generate the dh2048.pem file (the process is slow, so do not interrupt it during this process)
./Build-dh
# Generate the ta. key File (Anti-DDos)
Openvpn -- genkey -- secret keys/ta. key
# Create a key directory under the openvpn configuration directory
Mkdir/etc/openvpn/keys
# Copy the files required for the openvpn configuration file to the created keys directory.
Cp/usr/share/easy-rsa/2.0/keys/{ca. crt, server. {crt, key}, dh2048.pem, ta. key}/etc/openvpn/keys/

# Enable route forwarding
Sed-I '/net. ipv4.ip _ forward/s/0/1/'/etc/sysctl. conf
Echo 1>/proc/sys/net/ipv4/ip_forward

# Configuring a firewall
Iptables-F
Iptables-X
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-t nat-F
Iptables-t nat-X
Iptables-t nat-a postrouting-s 10.8.0.0/24-j MASQUERADE
Service iptables save

# Install the environment required for radiusplugin Compilation
Yum-y install make gcc-c ++ libgcrypt libgpg-error libgcrypt-devel wget

# Download the radiusplugin source code package
Wget-P/tmp http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gz

# Decompress
Tar xzf/tmp/radiusplugin_v2.1.tar.gz-C/usr/src/

# Switch to the/usr/src/radiusplugin/directory
Cd/usr/src/radiusplugin/

# Compile
Make

# Copy the radiusplugin. so and radiusplugin. cnf files to the/etc/openvpn/directory.
Cp radiusplugin. {so, cnf}/etc/openvpn/

# Edit the/etc/openvpn/radiusplugin. cnf File
Sed-I '/\ bsharedsecret =/s/=. */= testing123/'/etc/openvpn/radiusplugin. cnf

# Create the/etc/openvpn/server. conf file. The content is as follows:
Port 1194
Proto udp
Dev tun
Ca keys/ca. crt
Cert keys/server. crt
Key keys/server. key # This file shocould be kept secret
Dh keys/dh2048.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Push "route 192.168.1.0 255.255.255.0" #192.168.1.0/24 is the Intranet segment of my VPN Server. You should modify it based on your actual situation.
Keepalive 10 120
Tls-auth keys/ta. key 0 # This file is secret
Comp-lzo
Persist-key
Persist-tun
Status openvpn-status.log
Verb 3
Plugin/etc/openvpn/radiusplugin. so/etc/openvpn/radiusplugin. cnf
Client-cert-not-required

# Start openvpn and set it to start upon startup
Service openvpn start
Chkconfig openvpn on
Client Configuration
Create a client file (named client. ovpn) with the following content (you must modify the following public IP address of the server ):

Client
Dev tun
Proto udp
Remote Server public IP 1194
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ns-cert-type server
Comp-lzo
Verb 3
Auth-user-pass
Tls-auth [inline] 1
<Ca>
Copy and paste all the content of/usr/share/easy-rsa/2.0/keys/ca. crt in this
</Ca>
<Tls-auth>
Copy and paste all the content of/usr/share/easy-rsa/2.0/keys/ta. key
</Tls-auth>
Download client from the server. ovpn, and copy it to the config directory of the openvpn installation directory. Finally, start the openvpn program and connect to the server. The account and password are all test. If you can obtain the IP address, if you can ping other machines on the Intranet, the configuration is successful.
Finally, the sample text of my client. ovpn is provided for your reference.

Client
Dev tun
Proto udp
Remote IP address 192.168.1.88 1194
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ns-cert-type server
Comp-lzo
Verb 3
Auth-user-pass
Tls-auth [inline] 1
<Ca>
----- Begin certificate -----
MIIFEjCCA/qgAwIBAgIJAPuPhPG + 3TThMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
Bytes
Bytes
Bytes
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTQxMTA4MDgxMTE1
WhcNMjQxMTA1MDgxMTE1WjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
Bytes
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
Bytes
Bytes
Bytes
Lboeqc316goj3fg9ltmnderp1ag/5eruaw2/q38zkOS2I1qP6HVcwABMr3CBPpqc
Be/unzip xbbvqpyjqia9f8qnxvyfyja0cd/g2xJn1TZ5gXYVsEsD4mTsTesei0mr/SS
JJlqESEEb7mrwpFcjMGTmDAamrdl4PI/IptjOhwrg62YRfpzni3fOrTDycVhaHQR
9 Qbjvq + hfyzZJxPRaesCPoAR4aWhvGOMddhg7uZ7r21ZNb54QAkAudPQTVWle3it
QvQ + 8ylokov66qidaqab4ibhzccarswhqydvr0obbyefhlxenlcnmvr + Dm8tnnJ
CfpVSmwyMIHrBgNVHSMEgeMwgeCAFHlXeNlCNmvR + Dm8tnnJCfpVSmwyoYG8pIG5
Bytes
Bytes
Bytes
Bytes
Vt004TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCFbyQbck5rI6fw
66bpoFTxKq7 + 8b738R0lbKggxzVzSh2KReemmuu93zyRQ4Iv3MDwAa2ffJGYFiQz
JXzun4Q0SPNocBAgV0pTPyrGH/zSOqi4CXsN02AOKGkTAVJaPLavAGlRSjGVh62g
8 nAGzBDagD + FRlYzKZ3cupKGcmoXmWwrnS4YWoSf4 + Dei52Fsqe43JEnY0wmXGvu
LkukweyWJIqy3iuvPaYzUWWZSe9c6Ytx5Et2y + rYbpxyLvJiX3le8Whf3u2HLuPV
CwOPvG71kHpOOVPpks2RHwQn3TwWgBWpqIN37Eaow4TuTHTgRjuATttUeAZoSLFV
9 iLvv + FV
----- End certificate -----
</Ca>
<Tls-auth>
----- BEGIN OpenVPN Static key V1 -----
9f8d9e7776a5fc310ee39676c0fd4b2b
1b5d6525e26bc33fb23a64ded18f68ee
744cd707ee27c099caa9bf6622cfa1e5
73ff1026e59503760a1bac6102543e30
0946bb831cba42eb457b88eff73599b1
D26c39e6e0af27a55a83e4ed2d70a665
Dcb83715e74ca0ce90ebd76344b14c23
B70cf9428b11b771dc6c5bcf0c6000022
43ff98f637e3e637686ab23d01967a96
6a9d94f63dea50db424e246646f2dc27
3c2c957360450a993ea49481aadf7046
F38145175dbee319d69fc6202ed4934c
65ff2657e46c37f0f530acea93ee99e7
C7109996cdf13b0ae5f4b3506937cadb
793c9cc063b580aa70873499e5f02252
200f29305bfb0d934b1307fd9af3c7a9
----- END OpenVPN Static key V1 -----
</Tls-auth>

This article permanently updates the link address: