Centos7 安装openvpn采用webUI管理账号密码与证书认证方式
引言:
本文利用OpenVPN搭建VPN服务,并利用pam_sqlite3插件实现用户认证;通过openvpn_web进行用户管理与日志系统。
一、安装OpenVPN服务
基础环境:
服务端: CentOS 7.6
客户端:Windows 7
开发环境: python3
数据库: sqlite3
OpenVPN: openvpn-2.4.7 (https://github.com/OpenVPN/openvpn)
easy-rsa:easy-rsa 3.0.6 (https://github.com/OpenVPN/easy-rsa)
OpenVPN GUI: openvpn gui (https://gitee.com/lang13002/openvpn-portable)
1.1 安装openvpn
安装依赖包
# yum install lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel # yum -y install gcc gcc-c++ autoconf automake libtool gettext lzo lzo-devel pam-devel # yum -y groupinstall "Development Tools"
从github上下载openvpn源代码包并解压
# wget # tar -xvf v2.4.7.tar.gz
编译openvpn并安装
# cd openvpn-2.4.7 # ./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd # make && make install
参照sample/sample-config-files/server.conf文件生成配置文件
# vim /etc/openvpn/server/server.conf
port 1194 proto tcp-server ;proto udp dev tun topology subnet ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem tls-auth /etc/openvpn/server/ta.key 0 user nobody group nobody server 10.8.0.0 255.255.255.0 ;ifconfig-pool-persist ipp.txt ;push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 114.114.114.114"push "route 192.168.133.0 255.255.255.0"push "route-gateway 10.200.227.114";client-to-client keepalive 10 120 comp-lzo compress "lz4"persist-key persist-tun cipher AES-256-CBC status /var/log/openvpn-status.loglog /var/log/openvpn.log verb 3
配置系统服务
# cp distro/systemd/openvpn-server@.service /usr/lib/systemd/system/ # systemctl enable openvpn
1.2 生成证书
下载easy-rsa3并解压
# wget # tar -xvf v3.0.6.tar.gz
根据easy-rsa-3.0.6/easyrsa3/vars.example文件生成全局配置文件vars
# cd easy-rsa-3.0.6/easyrsa3/ # cp vars.samples vars
修改vars文件,根据需要去掉注释,并修改对应值
set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "HUBEI" set_var EASYRSA_REQ_CITY "WUHAN" set_var EASYRSA_REQ_ORG "ZJ" set_var EASYRSA_REQ_EMAIL "zj@test.com" set_var EASYRSA_REQ_OU "ZJ" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa
生成服务端证书
# ./easyrsa init-pki # 初始化,生成一系列文件与目录 # ./easyrsa build-ca # 生成根证书,记住ca密码 # ./easyrsa build-server-full server nopass # 生成服务端证书,nopass参数生成一个无密码的证书 # ./easyrsa gen-dh # 生成Diffie-Hellman
生成客户端证书
# ./easy-rsa build-client-full client1 nopass
注:可生成client1, client2, client3或对应姓名的客户端证书
整理服务端证书
# cp pki/ca.crt /etc/openvpn/server/ # cp pki/private/server.key /etc/openvpn/server/ # cp pki/issued/server.crt /etc/openvpn/server/ # cp pki/dh.pem /etc/openvpn/server/
1.3 开启路由转发功能与防火墙
# 路由转发 # vim /etc/sysctl.confnet.ipv4.ip_forward = 1 # 临时启用 # echo 1 > /proc/sys/net/ipv4/ip_forward # 防火墙增加通行端口与服务,并作NAT。 # firewall-cmd --zone=public --add-service=openvpn # firewall-cmd --zone=public --add-masquerade --permanent
二、添加SQLite认证
下载pam_sqlite3并安装
# yum -y install openssl* # yum install sqlite-devel sqlite # cd /opt # git clone https://gitee.com/lang13002/pam_sqlite3.git # cd pam_sqlite3 # make && make install
添加pam认证文件
# vim /etc/pam.d/openvpn auth required pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1 account required pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1
创建sqlite3数据库文件,这个与web程序中的有冲突,可以不作。
# sqlite3 /etc/openvpn/openvpn.db sqlite> create table t_user ( username text not null, password text not null, active int, expire text); sqlite> .quit
在服务端配置添加认证插件
verify-client-cert none username-as-common-name plugin /usr/local/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
三、客户端配置
3.1 下载客户端程序:
从https://gitee.com/lang13002/openvpn-portable/repository/archive/v1.0下载程序,并安装网卡驱动;
3.2 安装驱动:
运行openvpn-portable/tap-windows.exe
3.3 设置客户端证书
将上面生成的ca.crt, client1.crt, client1.key放到openvpn-portable的data/config下,并修改客户端配置
ca ca.crt cert client1.crt key client1.key remote-cert-tls server auth-user-pass auth-nocache
注:当有多个客户端时,有多个文件(ca.crt, client1.crt, client1.key, client.ovpn)需要分发给客户,势必会很麻烦;可以将证书嵌入到客户端配置文件中; ;ca ca.crt // 将这行注释掉;cert client.crt // 将这行注释掉;key client.key // 将这行注释掉 <ca>-----BEGIN CERTIFICATE----- MIIDGDCCAgCgAwIBAgIJAI9Ld4PlKEiOMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV .... OCeTQvQ4WhyIvVgURV3ITcAKYFKUQ1sPbpjuZg== -----END CERTIFICATE--- </ca><cert>-----BEGIN CERTIFICATE----- MIIDODCCAiCgAwIBAgIRAIZoEQ5PvHDs9xpTLMP3RqMwDQYJKoZIhvcNAQELBQAw ...... nCpzC3l8sVezxk2r -----END CERTIFICATE----- </cert> <key>-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDw1iq3HBe1otCU ...... ullaNc6mu3N/wTPZoQhDOKAO -----END PRIVATE KEY-----</key>
四. 连接VPN
启动openvpn服务
# systemctl start openvpn
启动openvpn-porable
五、OpenVPN用户管理与日志
5.1 安装依赖
# yum install python3
# pip3 install peewee tornado
5.2 下载openvpn-web
# cd /opt
# git clone https://gitee.com/lang13002/openvpn_web.git
5.3 创建相应的数据库表
# sqlite3 /etc/openvpn/openvpn.dbsqlite> .read /opt/openvpn_web/model/openvpn.sql
5.4 OpenVPN运行脚本写日志
服务端配置添加运行脚本
script-security 2 client-connect /etc/openvpn/server/connect.py client-disconnect /etc/openvpn/server/disconnect.py
connect.py
#!/usr/bin/pythonimport osimport timeimport sqlite3 username = os.environ['common_name'] trusted_ip = os.environ['trusted_ip'] trusted_port = os.environ['trusted_port'] local = os.environ['ifconfig_local'] remote = os.environ['ifconfig_pool_remote_ip'] timeunix= os.environ['time_unix'] logintime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(time.time())) conn = sqlite3.connect("/etc/openvpn/openvpn.db") cursor = conn.cursor() query = "insert into t_logs(username, timeunix, trusted_ip, trusted_port, local, remote, logintime) values('%s','%s', '%s', '%s', '%s', '%s', '%s')" % (username, timeunix, trusted_ip, trusted_port, local, remote, logintime) cursor.execute(query) conn.commit() conn.close()
5.5 启动服务
# python3 myapp.py
5.6 管理界面
http://IP:8000 端口,自己可以根据情况修改端口与账号密码。
默认登陆账号: admin 密码 : 123456
目录 返回
首页