|
安装可查看的openvpn
引言:
本文利用OpenVPN搭建VPN服务,并利用pam_sqlite3插件实现用户认证;通过openvpn_web进行用户管理与日志系统。
一、安装OpenVPN服务
基础环境:
服务端: CentOS 7.6
客户端:Windows 7
开发环境: python3
数据库: sqlite3
OpenVPN: openvpn-2.4.7 (https://github.com/OpenVPN/openvpn)
easy-rsa:easy-rsa 3.0.6 (https://github.com/OpenVPN/easy-rsa)
OpenVPN GUI: openvpn gui (https://gitee.com/lang13002/openvpn-portable)
1.1 安装openvpn
安装依赖包
- yum install lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel
- yum -y install gcc gcc-c++ autoconf automake libtool gettext lzo lzo-devel pam-devel
- yum -y groupinstall "Development Tools"
从github上下载openvpn源代码包并解压
wget
tar -xvf v2.4.7.tar.gz
编译openvpn并安装
cd openvpn-2.4.7
./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd
make && make install
参照sample/sample-config-files/server.conf文件生成配置文件
vim /etc/openvpn/server/server.conf
- port 1194
- proto tcp-server
- ;proto udp
- dev tun
- topology subnet
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
user nobody
group nobody
server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
;push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 114.114.114.114"push "route 192.168.133.0 255.255.255.0"push "route-gateway 10.200.227.114";client-to-client
keepalive 10 120
comp-lzo
compress "lz4"persist-key
persist-tun
cipher AES-256-CBC
status /var/log/openvpn-status.loglog /var/log/openvpn.log
verb 3
配置系统服务
cp distro/systemd/openvpn-server@.service /usr/lib/systemd/system/
systemctl enable openvpn
1.2 生成证书
下载easy-rsa3并解压
wget
tar -xvf v3.0.6.tar.gz
根据easy-rsa-3.0.6/easyrsa3/vars.example文件生成全局配置文件vars
cd easy-rsa-3.0.6/easyrsa3/
cp vars.samples vars
修改vars文件,根据需要去掉注释,并修改对应值
- set_var EASYRSA_REQ_COUNTRY "CN"
- set_var EASYRSA_REQ_PROVINCE "HUBEI"
- set_var EASYRSA_REQ_CITY "WUHAN"
- set_var EASYRSA_REQ_ORG "ZJ"
- set_var EASYRSA_REQ_EMAIL "zj@test.com"
- set_var EASYRSA_REQ_OU "ZJ"
- set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
生成服务端证书
./easyrsa init-pki # 初始化,生成一系列文件与目录
./easyrsa build-ca # 生成根证书,记住ca密码
./easyrsa build-server-full server nopass
生成服务端证书,nopass参数生成一个无密码的证书
./easyrsa gen-dh
生成Diffie-Hellman
生成客户端证书
./easy-rsa build-client-full client1 nopass
注:可生成client1, client2, client3或对应姓名的客户端证书
整理服务端证书
- cp pki/ca.crt /etc/openvpn/server/
- cp pki/private/server.key /etc/openvpn/server/
- cp pki/issued/server.crt /etc/openvpn/server/
- cp pki/dh.pem /etc/openvpn/server/
1.3 开启路由转发功能与防火墙
路由转发
vim /etc/sysctl.confnet.ipv4.ip_forward = 1
临时启用
echo 1 > /proc/sys/net/ipv4/ip_forward
防火墙增加通行端口与服务,并作NAT。
firewall-cmd --zone=public --add-service=openvpn
firewall-cmd --zone=public --add-masquerade --permanent
二、添加SQLite认证
下载pam_sqlite3并安装
yum -y install openssl*
yum install sqlite-devel sqlite
cd /opt
git clone https://gitee.com/lang13002/pam_sqlite3.git
cd pam_sqlite3
make && make install
添加pam认证文件
vim /etc/pam.d/openvpn
auth required pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1
account required pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1
创建sqlite3数据库文件,这个与web程序中的有冲突,可以不作。
- sqlite3 /etc/openvpn/openvpn.db
- sqlite> create table t_user (
- username text not null,
- password text not null,
- active int,
- expire text);
- sqlite> .quit
在服务端配置添加认证插件
- verify-client-cert none
- username-as-common-name
- plugin /usr/local/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
三、客户端配置
3.1 下载客户端程序:
从https://gitee.com/lang13002/open ... sitory/archive/v1.0下载程序,并安装网卡驱动;
3.2 安装驱动:
运行openvpn-portable/tap-windows.exe
3.3 设置客户端证书
将上面生成的ca.crt, client1.crt, client1.key放到openvpn-portable的data/config下,并修改客户端配置
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
auth-user-pass
auth-nocache
注:当有多个客户端时,有多个文件(ca.crt, client1.crt, client1.key, client.ovpn)需要分发给客户,势必会很麻烦;可以将证书嵌入到客户端配置文件中;
;ca ca.crt
// 将这行注释掉;cert client.crt
// 将这行注释掉;key client.key
// 将这行注释掉 <ca>-----BEGIN CERTIFICATE-----
MIIDGDCCAgCgAwIBAgIJAI9Ld4PlKEiOMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
....
OCeTQvQ4WhyIvVgURV3ITcAKYFKUQ1sPbpjuZg==
-----END CERTIFICATE---
</ca> <cert>-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIRAIZoEQ5PvHDs9xpTLMP3RqMwDQYJKoZIhvcNAQELBQAw
......
nCpzC3l8sVezxk2r
-----END CERTIFICATE-----
</cert> <key>-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDw1iq3HBe1otCU
......
ullaNc6mu3N/wTPZoQhDOKAO
-----END PRIVATE KEY-----</key>
四. 连接VPN
启动openvpn服务
启动openvpn-porable
五、OpenVPN用户管理与日志
5.1 安装依赖
- yum install python3
- pip3 install peewee tornado
5.2 下载openvpn-web
cd /opt
git clone https://gitee.com/lang13002/openvpn_web.git
5.3 创建相应的数据库表
sqlite3 /etc/openvpn/openvpn.dbsqlite> .read /opt/openvpn_web/model/openvpn.sql
5.4 OpenVPN运行脚本写日志
服务端配置添加运行脚本
script-security 2
client-connect /etc/openvpn/server/connect.py
client-disconnect /etc/openvpn/server/disconnect.py
connect.py
#!/usr/bin/pythonimport osimport timeimport sqlite3
username = os.environ['common_name']
trusted_ip = os.environ['trusted_ip']
trusted_port = os.environ['trusted_port']
local = os.environ['ifconfig_local']
remote = os.environ['ifconfig_pool_remote_ip']
timeunix= os.environ['time_unix']
logintime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(time.time()))
conn = sqlite3.connect("/etc/openvpn/openvpn.db")
cursor = conn.cursor()
query = "insert into t_logs(username, timeunix, trusted_ip, trusted_port, local, remote, logintime) values('%s','%s', '%s', '%s', '%s', '%s', '%s')" % (username, timeunix, trusted_ip, trusted_port, local, remote, logintime)
cursor.execute(query)
conn.commit()
conn.close()
5.5 启动服务
python3 myapp.py
5.6 管理界面
http://IP:8000 端口,自己可以根据情况修改端口与账号密码。
默认登陆账号: admin 密码 : 123456
|
|手机版|小黑屋|RuZhuo
( 鄂ICP备16015978号-8 )
