Install and configure OpenVPN in CentOS and log on with the certificate or account password.

Source: Internet
Author: User
Tags auth chmod openssl vars centos vps iptables

OpenVPN is another VPN software package different from PPTP and L2TP. It is based on ssl vpn. The use of OpenVPN requires client support. Here the system is CentOS6.4.
I. Check the environment required by OpenVPN
OpenVPN requires support from TUN devices and the nat module of iptables.
1. Check the TUN module:

Modinfo tun

Shown as follows:

If an error is reported, the TUN device is not supported. 2. In OpenVZ VPS, the administrator needs to enable the TUN/TAP device on the hen.

Cat/dev/net/tun

If:

Cat:/dev/net/tun: File descriptor in bad state

Vps tun/TAP is available.
If:

Cat:/dev/net/tun: No such device

Otherwise, it indicates that the TUN/TAP device is not correctly configured and you need to contact customer service to activate TUN/TAP.
3. Check whether iptables on OpenVZ VPS is supported:

Iptables-t nat-a postrouting-s 10.8.0.0/24-o venet0-j MASQUERADE

If:

Iptables: Unknown error 4294967295

Description supported.
II. Compile and install OpenVPN
1. Install the dependent environment

Yum install-y openssl-devel lzo-devel pam-devel automake pkgconfig

2. Install OpenVPN

Wget-c http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz tar zxvf openvpn-2.3.0.tar.gz cd openvpn-2.3.0./configure make install mkdir-p/etc/openvpn cp-Rf sample/etc/openvpn/cd ..

Download easy-rsa separately to create ca certificates, server certificates, and client certificates.

Unzip openvpn-2.3.0.tar.gz the source code does not contain easy-rsa, so you need to separately download and install easy-rsa wget-c https://github.com/OpenVPN/easy-rsa/archive/master.zip unzip master mv easy-rsa-master easy-rsa cp-Rf easy-rsa/etc/openvpn cd/etc/openvpn/easy -rsa/easy-rsa/2.0

3. Generate keys and certificates

Vim vars # finally find the code export KEY_COUNTRY = "CN" export KEY_PROVINCE = "JN" export KEY_CITY = "DZ" export KEY_ORG = "lvtao" export KEY_EMAIL = "admin@lvtao.net" export KEY_OU = "lvtao" # x! Save exit ln-s openssl-1.0.0.cnf openssl. cnf chmod + x vars source. /vars. /clean-all # Create a ca certificate. /build-ca # Create a server certificate. /build-key-server # Create a client certificate. /build-key client1. /build-dh # package keys tar zcvf keys.tar.gz keys/# The Terminal sends it to the client for backup sz keys.tar.gz

# File description in keys

Filename

Needed

Purpose

Secret

Ca. crt

Server + all clients

Root CA certificate

NO

Ca. key

Key signing machine only

Root CA key

YES

Dh {n}. pem

Server only

Diffie Hellman parameters

NO

Server. crt

Server only

Server Certificate

NO

Server. key

Server only

Server Key

YES

Client1.crt

Client1 only

Client1 Certificate

NO

Client1.key

Client1 only

Client1 Key

YES

Cd/etc/openvpn/sample-config-files/cp server. conf .. /.. /# configure server. conf. The specific parameters are not described in vi .. /.. /server. conf # copy keys cd/etc/openvpn/easy-rsa/2.0/keys cp-Rf ca. crt server. crt server. key dh2048.pem/etc/openvpn/# Edit/etc/sysctl. conf, find net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1 save. Run sysctl-p # set nat forwarding. Note that 192.168.122.180 is changed to the IP address of your server. Iptables-t nat-a postrouting-s 10.8.8.0/24-j SNAT -- to-source 192.168.122.180/etc/init. d/iptables save/etc/init. d/iptables restart

PS: If iptables save reports an error

Iptables: Saving firewall rules to/etc/sysconfig/iptables:/etc/init. d/iptables: line 268: restorecon: command not found

To install a software package:
Yum install policycoreutils

Echo "/usr/local/sbin/openvpn -- config/etc/openvpn/easy-rsa/2.0/conf/server. conf &">/etc/rc. local

Start OpenVPN

/Usr/local/sbin/openvpn -- config/etc/openvpn/easy-rsa/2.0/conf/server. conf>/dev/null 2> & 1 &



Login configuration with password
Modify the main configuration file of the openvpn service and add the following content. If client-cert-not-required is added, the user name and password are used to verify logon, it indicates that you need to log on with both the certificate and user name and password!

Tail-3/etc/openvpn/server. conf auth-user-pass-verify/etc/openvpn/checkpsw. sh via-env client-cert-not-required username-as-common-name

Verify the user's logon script and modify it accordingly. Change the PASSFILE and LOG_FILE variables.

#! /Bin/sh #################################### ####################### checkpsw. sh (C) 2004 Mathias Sundman <mathias@openvpn.se> # This script will authenticate OpenVPN users against # a plain text file. the passfile shoshould simply contain # one row per user with the username first followed by # one or more space (s) or tab (s) and then the password. PASSFILE = "/etc/openvpn/psw-file" LOG_FILE = "/var/lo G/openvpn-password.log "TIME_STAMP = 'date" + % Y-% m-% d % T "'################## ######################################## # if [! -R "$ {PASSFILE}"]; then echo "$ {TIME_STAMP}: cocould not open password file" $ {PASSFILE} "for reading. ">>$ {LOG_FILE} exit 1 fi CORRECT_PASSWORD = 'awk '! /^ ;/&&! /^ #/& $1 = "'$ {username}'" {print $2; exit} '$ {PASSFILE}' if ["$ {CORRECT_PASSWORD}" = ""]; then echo "$ {TIME_STAMP}: User does not exist: username = "$ {username}", password = "$ {password }". ">>$ {LOG_FILE} exit 1 fi if [" $ {password} "=" $ {CORRECT_PASSWORD} "]; then echo" $ {TIME_STAMP}: Successful authentication: username = "$ {username }". ">>$ {LOG_FILE} exit 0 fi echo" $ {TIME_STAMP}: Incorrect password: username = "$ {username}", password = "$ {password }". ">>$ {LOG_FILE} exit 1

Prepare the user name and password authentication file. Separate the user name and password with spaces and ensure that the openvpn start user can read the file.

Vi psw-file LV Tao 954270

Configure permissions

Chmod 400 psw-file chown nobody. nobody psw-file

Modify the client configuration file
Comment out

; Cert lvtao. crt; key lvtao. key

Add user name and password for inquiry

Auth-user-pass
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.