Centos6.4 quickly build an openvpn server based on user name and password authentication

Centos6.4 quickly build an openvpn server based on user name and password authentication

Today, VPN applications are widely used. I have previously written a blog on PPTPD. The link is http://cyr5425blog.51cto.com/714067/4101788.

The home has recently changed a new broadband. You cannot use the company's PptpdVPN. the dialing status remains at the step of verifying the user name and password. Baidu and Google did not solve this problem. This seems to be the reason why broadband carriers have blocked the GRE protocol. As O & M personnel, it is unpleasant to connect to the company's internal network in a timely manner.

Let's try another OpenVPN. It is said that OpenVPN is very powerful and can adapt to complicated network environments, and its configuration is flexible.

Server System Environment:

1. Centos6.4 x86_64

2. Single Nic

Network Architecture:

Environment Description: OpenVPN is deployed on a single Nic server in the company's intranet. The port is mapped to the Internet through the router. When the client connects to the VPN Server, it must be connected to other servers in the company.

There are two installation methods: Compile and install and use YUM for installation. Because this article describes how to quickly build, YUM is used for installation.

Server operation steps:

Add an EPEL Repository:

Yum install http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm

Install OpenVPN:

Yum install openvpn-y

Download the key preparation tool easy_rsa 2:

Wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip

Decompress easy_rsa and copy it to/etc/openvpn:

Unzip 2.x.zip

Music easy-rsa-release-2.x // etc/openvpn/

Edit the vars file of easy-rsa and SET related variable information:

Cd/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0

Vim vars

Export KEY_COUNTRY = "CN"

Export KEY_PROVINCE = "BEIJING"

Export KEY_CITY = "BEIJING"

Export KEY_ORG = "XIAOCUI"

Export KEY_EMAIL = "ADMIN@XIAOCUI.COM"

Export KEY_OU = "MyOpenVPN"

After editing, save and exit.

Run the following command to edit the vars file:

Source vars

./Clean-all

./Build-ca

Create the server certificate and key:

./Build-key-server OpenVPN_Server

[Root @ cloud 2.0] #./build-key-server OpenVPN_Server

Generating a 2048 bit RSA private key

................................ ++

... + +

Writing new private key to 'openvpn _ Server. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpenVPN]:

Common Name (eg, your name or your server's hostname) [OpenVPN_Server]:

Name [EasyRSA]:

Email Address [ADMIN @ XIAOCUI. COM]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature OK

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'

StateOrProvinceName: PRINTABLE: 'beijing'

LocalityName: PRINTABLE: 'beijing'

OrganizationName: PRINTABLE: 'xiaocui'

OrganizationalUnitName: PRINTABLE: 'myopenvps'

CommonName: T61STRING: 'openvpn _ Server'

Name: PRINTABLE: 'easyrsa'

EmailAddress: IA5STRING: 'admin @ XIAOCUI. COM'

Certificate is to be certified until May 2 07:49:13 2025 GMT (3650 days)

Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries

Data Base Updated

Create the client certificate and key:

./Build-key client-user-test1

[Root @ cloud 2.0] #./build-key client-user-test1

Generating a 2048 bit RSA private key

... + +

........................................ ....................................... ++

Writing new private key to 'client-user-cuiyuanrong.key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpenVPN]:

Common Name (eg, your name or your server's hostname) [client-user-test1]:

Name [EasyRSA]:

Email Address [ADMIN@XIAOCUI.COM]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature OK

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'

StateOrProvinceName: PRINTABLE: 'beijing'

LocalityName: PRINTABLE: 'beijing'

OrganizationName: PRINTABLE: 'xiaocui'

OrganizationalUnitName: PRINTABLE: 'myopenvps'

CommonName: PRINTABLE: 'client-user-test1'

Name: PRINTABLE: 'easyrsa'

EmailAddress: IA5STRING: 'admin @ XIAOCUI. COM'

Certificate is to be certified until May 2 07:53:17 2025 GMT (3650 days)

Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries

Data Base Updated

Create the Diffie Hellman parameter:

./Build-dh

Create an OpenVPN server configuration file:

Cd/etc/openvpn/

Vim server. conf

Local 0.0.0.0

Port 1194

Proto tcp

Dev tun

Ca/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/ca. crt

Cert/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/OpenVPN_Server.crt

Key/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/OpenVPN_Server.key

Dh/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/dh2048.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist/var/log/openvpn/ipp.txt

Push "route 10.0.0.0 255.255.255.0"

Client-to-client

Keepalive 10 120

Comp-lzo

Persist-key

Persist-tun

Status openvpn-status.log

Log/var/log/openvpn. log

Log-append/var/log/openvpn. log

Verb 3

Script-security 3 system

Auth-user-pass-verify/etc/openvpn/checkpsw. sh via-env

Client-cert-not-required

Username-as-common-name

Create the checkpsw. sh script:

Cd/etc/openvpn

Vim checkpsw. sh

#! /Bin/sh

######################################## ###################

# Checkpsw. sh (C) 2004 Mathias Sundman <mathias@openvpn.se>

#

# This script will authenticate OpenVPN users against

# A plain text file. The passfile shoshould simply contain

# One row per user with the username first followed

# One or more space (s) or tab (s) and then the password.

PASSFILE = "/etc/openvpn/psw-file"

LOG_FILE = "/var/log/openvpn/openvpn-password.log"

TIME_STAMP = 'date "+ % Y-% m-% d % T "'

######################################## ###################

If [! -R "$ {PASSFILE}"]; then

Echo "$ {TIME_STAMP}: cocould not open password file \" $ {PASSFILE} \ "for reading." >$ {LOG_FILE}

Exit 1

Fi

CORRECT_PASSWORD = 'awk '! /^ ;/&&! /^ #/& $1 = "'$ {username}'" {print $2; exit} '$ {PASSFILE }'

If ["$ {CORRECT_PASSWORD}" = ""]; then

Echo "$ {TIME_STAMP}: User does not exist: username = \" $ {username} \ ", password = \" $ {password }\". ">>$ {LOG_FILE}

Exit 1

Fi

If ["$ {password}" = "$ {CORRECT_PASSWORD}"]; then

Echo "$ {TIME_STAMP}: Successful authentication: username = \" $ {username} \ "." >>$ {LOG_FILE}

Exit 0

Fi

Echo "$ {TIME_STAMP}: Incorrect password: username = \" $ {username} \ ", password = \" $ {password} \ "." >$ {LOG_FILE}

Exit 1

Chmod + x checkpsw. sh

Create a psw-file:

Cd/etc/openvpn

Echo "test1 test1"> psw-file

Chmod 400 psw-file

Add the boot item:

Chkconfig openvpn on

Start openvpn Server:

/Etc/init. d/openvpn start

Package the certificates and keys required by the client:

Cd/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/

Tar zcvf ca. crt client-user-test1 .*

Firewall Policy

Cat/etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Tue May 5 11:25:43 2015

* Nat

: Prerouting accept [74: 10890]

: Postrouting accept [:156]

: Output accept [:156]

-A postrouting-s 10.8.0.0/24-o eth0-j MASQUERADE

COMMIT

# Completed on Tue May 5 11:25:43 2015

# Generated by iptables-save v1.4.7 on Tue May 5 11:25:43 2015

* Filter

: Input accept [0: 0]

: Forward accept [0: 0]

: Output accept [24: 3392]

-A input-I lo-j ACCEPT

-A input-p icmp-m icmp -- icmp-type any-j ACCEPT

-A input-m state -- state RELATED, ESTABLISHED-j ACCEPT

-A input-s 10.8.0.0/24-j ACCEPT

-A input-p tcp-m state -- state NEW-m tcp -- dport 22-j ACCEPT

-A input-p tcp-m state -- state NEW-m tcp -- dport 1194-j ACCEPT

-A input-p udp-m state -- state NEW-m udp -- dport 1194-j ACCEPT

-A input-I tun +-j ACCEPT

-A forward-d 10.8.0.0/24-j ACCEPT

-A forward-I tun +-j ACCEPT

-A input-j DROP

COMMIT

# Completed on Tue May 5 11:25:43 2015

Taking windows as an example:

Client operation steps:

Download windows client:

Http://openvpn.ustc.edu.cn/openvpn-install-2.3.6-I603-x86_64.exe

After the client software is installed, extract the certificate required by the client packaged from the server to the config directory under the Client installation directory.

Create a client configuration file:

Client. ovpn

Client

Dev tun

Proto tcp

Remote 115.183.9.106 1194

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca. crt

; Cert client-user-test1.crt

Key client-user-test1.key

Comp-lzo

Verb 3

Auth-user-pass

Reneg-sec 360000

Test connection:

The user name and password-based authentication method has been deployed. If you need separate certificate verification or a combination of certificates and passwords for verification, please refer to other online tutorials, in fact, you only need to slightly adjust the two configuration files on the client and server.