Centos6.4 quickly build an openvpn server based on user name and password authentication
Today, VPN applications are widely used. I have previously written a blog on PPTPD. The link is http://cyr5425blog.51cto.com/714067/4101788.
The home has recently changed a new broadband. You cannot use the company's PptpdVPN. the dialing status remains at the step of verifying the user name and password. Baidu and Google did not solve this problem. This seems to be the reason why broadband carriers have blocked the GRE protocol. As O & M personnel, it is unpleasant to connect to the company's internal network in a timely manner.
Let's try another OpenVPN. It is said that OpenVPN is very powerful and can adapt to complicated network environments, and its configuration is flexible.
Server System Environment:
1. Centos6.4 x86_64
2. Single Nic
Network Architecture:
Environment Description: OpenVPN is deployed on a single Nic server in the company's intranet. The port is mapped to the Internet through the router. When the client connects to the VPN Server, it must be connected to other servers in the company.
There are two installation methods: Compile and install and use YUM for installation. Because this article describes how to quickly build, YUM is used for installation.
Server operation steps:
Add an EPEL Repository:
Yum install http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm
Install OpenVPN:
Yum install openvpn-y
Download the key preparation tool easy_rsa 2:
Wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
Decompress easy_rsa and copy it to/etc/openvpn:
Unzip 2.x.zip
Music easy-rsa-release-2.x // etc/openvpn/
Edit the vars file of easy-rsa and SET related variable information:
Cd/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0
Vim vars
Export KEY_COUNTRY = "CN"
Export KEY_PROVINCE = "BEIJING"
Export KEY_CITY = "BEIJING"
Export KEY_ORG = "XIAOCUI"
Export KEY_EMAIL = "ADMIN@XIAOCUI.COM"
Export KEY_OU = "MyOpenVPN"
After editing, save and exit.
Run the following command to edit the vars file:
Source vars
./Clean-all
./Build-ca
Create the server certificate and key:
./Build-key-server OpenVPN_Server
[Root @ cloud 2.0] #./build-key-server OpenVPN_Server
Generating a 2048 bit RSA private key
................................ ++
... + +
Writing new private key to 'openvpn _ Server. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [XIAOCUI]:
Organizational Unit Name (eg, section) [MyOpenVPN]:
Common Name (eg, your name or your server's hostname) [OpenVPN_Server]:
Name [EasyRSA]:
Email Address [ADMIN @ XIAOCUI. COM]:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'beijing'
LocalityName: PRINTABLE: 'beijing'
OrganizationName: PRINTABLE: 'xiaocui'
OrganizationalUnitName: PRINTABLE: 'myopenvps'
CommonName: T61STRING: 'openvpn _ Server'
Name: PRINTABLE: 'easyrsa'
EmailAddress: IA5STRING: 'admin @ XIAOCUI. COM'
Certificate is to be certified until May 2 07:49:13 2025 GMT (3650 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
Create the client certificate and key:
./Build-key client-user-test1
[Root @ cloud 2.0] #./build-key client-user-test1
Generating a 2048 bit RSA private key
... + +
........................................ ....................................... ++
Writing new private key to 'client-user-cuiyuanrong.key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [XIAOCUI]:
Organizational Unit Name (eg, section) [MyOpenVPN]:
Common Name (eg, your name or your server's hostname) [client-user-test1]:
Name [EasyRSA]:
Email Address [ADMIN@XIAOCUI.COM]:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'beijing'
LocalityName: PRINTABLE: 'beijing'
OrganizationName: PRINTABLE: 'xiaocui'
OrganizationalUnitName: PRINTABLE: 'myopenvps'
CommonName: PRINTABLE: 'client-user-test1'
Name: PRINTABLE: 'easyrsa'
EmailAddress: IA5STRING: 'admin @ XIAOCUI. COM'
Certificate is to be certified until May 2 07:53:17 2025 GMT (3650 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
Create the Diffie Hellman parameter:
./Build-dh
Create an OpenVPN server configuration file:
Cd/etc/openvpn/
Vim server. conf
Local 0.0.0.0
Port 1194
Proto tcp
Dev tun
Ca/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/ca. crt
Cert/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/OpenVPN_Server.crt
Key/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/OpenVPN_Server.key
Dh/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/dh2048.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist/var/log/openvpn/ipp.txt
Push "route 10.0.0.0 255.255.255.0"
Client-to-client
Keepalive 10 120
Comp-lzo
Persist-key
Persist-tun
Status openvpn-status.log
Log/var/log/openvpn. log
Log-append/var/log/openvpn. log
Verb 3
Script-security 3 system
Auth-user-pass-verify/etc/openvpn/checkpsw. sh via-env
Client-cert-not-required
Username-as-common-name
Create the checkpsw. sh script:
Cd/etc/openvpn
Vim checkpsw. sh
#! /Bin/sh
######################################## ###################
# Checkpsw. sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# A plain text file. The passfile shoshould simply contain
# One row per user with the username first followed
# One or more space (s) or tab (s) and then the password.
PASSFILE = "/etc/openvpn/psw-file"
LOG_FILE = "/var/log/openvpn/openvpn-password.log"
TIME_STAMP = 'date "+ % Y-% m-% d % T "'
######################################## ###################
If [! -R "$ {PASSFILE}"]; then
Echo "$ {TIME_STAMP}: cocould not open password file \" $ {PASSFILE} \ "for reading." >$ {LOG_FILE}
Exit 1
Fi
CORRECT_PASSWORD = 'awk '! /^ ;/&&! /^ #/& $1 = "'$ {username}'" {print $2; exit} '$ {PASSFILE }'
If ["$ {CORRECT_PASSWORD}" = ""]; then
Echo "$ {TIME_STAMP}: User does not exist: username = \" $ {username} \ ", password = \" $ {password }\". ">>$ {LOG_FILE}
Exit 1
Fi
If ["$ {password}" = "$ {CORRECT_PASSWORD}"]; then
Echo "$ {TIME_STAMP}: Successful authentication: username = \" $ {username} \ "." >>$ {LOG_FILE}
Exit 0
Fi
Echo "$ {TIME_STAMP}: Incorrect password: username = \" $ {username} \ ", password = \" $ {password} \ "." >$ {LOG_FILE}
Exit 1
Chmod + x checkpsw. sh
Create a psw-file:
Cd/etc/openvpn
Echo "test1 test1"> psw-file
Chmod 400 psw-file
Add the boot item:
Chkconfig openvpn on
Start openvpn Server:
/Etc/init. d/openvpn start
Package the certificates and keys required by the client:
Cd/etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/keys/
Tar zcvf ca. crt client-user-test1 .*
Firewall Policy
Cat/etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue May 5 11:25:43 2015
* Nat
: Prerouting accept [74: 10890]
: Postrouting accept [:156]
: Output accept [:156]
-A postrouting-s 10.8.0.0/24-o eth0-j MASQUERADE
COMMIT
# Completed on Tue May 5 11:25:43 2015
# Generated by iptables-save v1.4.7 on Tue May 5 11:25:43 2015
* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [24: 3392]
-A input-I lo-j ACCEPT
-A input-p icmp-m icmp -- icmp-type any-j ACCEPT
-A input-m state -- state RELATED, ESTABLISHED-j ACCEPT
-A input-s 10.8.0.0/24-j ACCEPT
-A input-p tcp-m state -- state NEW-m tcp -- dport 22-j ACCEPT
-A input-p tcp-m state -- state NEW-m tcp -- dport 1194-j ACCEPT
-A input-p udp-m state -- state NEW-m udp -- dport 1194-j ACCEPT
-A input-I tun +-j ACCEPT
-A forward-d 10.8.0.0/24-j ACCEPT
-A forward-I tun +-j ACCEPT
-A input-j DROP
COMMIT
# Completed on Tue May 5 11:25:43 2015
Taking windows as an example:
Client operation steps:
Download windows client:
Http://openvpn.ustc.edu.cn/openvpn-install-2.3.6-I603-x86_64.exe
After the client software is installed, extract the certificate required by the client packaged from the server to the config directory under the Client installation directory.
Create a client configuration file:
Client. ovpn
Client
Dev tun
Proto tcp
Remote 115.183.9.106 1194
Nobind
User nobody
Group nobody
Persist-key
Persist-tun
Ca. crt
; Cert client-user-test1.crt
Key client-user-test1.key
Comp-lzo
Verb 3
Auth-user-pass
Reneg-sec 360000
Test connection:
The user name and password-based authentication method has been deployed. If you need separate certificate verification or a combination of certificates and passwords for verification, please refer to other online tutorials, in fact, you only need to slightly adjust the two configuration files on the client and server.