openvpn搭建以及證書加密和用戶名密碼雙重認證

一般只有路由器才支持的NAT穿越，但Openvpn也支持，在nat環境下使用openvpn，只需要一個在路由器上做一個端口映射即可。Openvpn還支持使證書加密數據傳輸，在安全性上遠勝於PPTP VPN，不過openvpn客戶端登錄只需要雙擊就可以連接服務器端，讓人覺得安全性低，可以配置openvpn使用證書和用戶名密碼雙重驗證登錄，註銷用戶賬號的時候，只要刪除密碼文件中的記錄即可。同樣地，增添用戶的時候，可以使用相同的數字證書，只需添加用戶名密碼記錄即可。

 

一、在開始之前請先配置配置好openvpn服務器和客戶端：

環境：CentOS Linux release 7.3.1611 (Core) + OpenVPN 2.4.3 x86_64

#設置本地時間同步：刪除其他時間服務節點
yum install -y ntp
sed -i "s/server 0.centos.pool.ntp.org iburst/server    cn.pool.ntp.org    iburst/" /etc/ntp.conf
sed -i "22,24d" /etc/ntp.conf
systemctl disable chronyd.service
systemctl stop chronyd.service
systemctl enable ntpd.service
systemctl start ntpd.service

ntpdate asia.pool.ntp.org && hwclock -w
#ntpdate time.windows.com && hwclock -w
#連網更新時間，如果成功，將系統時間，寫入BOIS
#hwclock -w 或 hwclock --systohc
#可以做到crontab裏

#OpenVPN server 搭建部署
yum install epel-release
yum install openvpn lzo-devel easy-rsa -y
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
cp -R /usr/share/easy-rsa/ /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0/ 

#egrep -v '^$|^#' vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="gd"
export KEY_CITY="sz"
export KEY_ORG="company"
export KEY_EMAIL="[email protected]"
export KEY_OU="company"
export KEY_NAME="server"

source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key client

#egrep -v '^;|^#|^$' /etc/openvpn/server.conf
local 192.168.1.254
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.253"
push "dhcp-option DNS 114.114.114.114"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
verb 3
mute 20
#檢查是否安裝了iptables
service iptables status
#安裝iptables
yum install -y iptables
#升級iptables（安裝的最新版本則不需要）
yum update iptables 
#安裝iptables-services
yum install iptables-services
#禁用/停止自帶的firewalld服務
systemctl stop firewalld
systemctl mask firewalld

#設置iptables
iptables -L -n
#先允許所有,不然有可能會杯具
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -t nat -A POSTROUTING -o ens160 -j SNAT --to 192.168.1.254
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i ens160 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
iptables -A FORWARD -i tun0 -o ens160 -j ACCEPT
iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT  
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
service iptables save
service iptables restart

二、客戶端配置：

#client.ovpn
client
dev tun
proto udp
remote 192.168.1.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

將.ca、.crt、.key三個文件合併到主配置文件中
將主配置文件中的下面三行刪除
ca ca.crt
cert test1.crt
key test1.key

在配置文件中添加
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
將.ca裏的內容複製到<ca> </ca>中
將.crt、.key都複製到相應的標籤中
最後在配置文件中添加：
auth-user-pass

 

三、修改openvpn服務主配置文件，添加如下內容，代表需要證書和用戶名密碼雙重驗證登錄

script-security 2 # Allow calling of built-in executables and user-defined scripts
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-file

 

四、添加賬戶密碼認證腳本：

cat /etc/openvpn/checkpsw.sh
#!/bin/sh  
###########################################################  
# This script will authenticate OpenVPN users against  
# a plain text file. The passfile should simply contain  
# one row per user with the username first followed by  
# one colon(:) and then the password.  
 
PASSFILE="/etc/openvpn/pass_file" 
LOG_FILE="/var/log/openvpn-password.log" 
TIME_STAMP=`date "+%F %T"`  
 
###########################################################  
username=`head  -1  $1`
password=`tail  -1  $1`

if [ ! -r "${PASSFILE}" ]; then  
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>${LOG_FILE}  
  exit 1  
fi  

CORRECT_PASSWORD=`awk -F ":" '!/^;/&&!/^#/&&\$1=="'${username}'"{print $2;exit}' ${PASSFILE}`  

if [ "${CORRECT_PASSWORD}" = "" ]; then   
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password= \"${password}\"." >>${LOG_FILE}  
  exit 1  
fi  

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then   
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}  
  exit 0  
fi  

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}  
exit 1

 

五、準備用戶名和密碼認證文件，用戶名和密碼用空格隔開，同時確保openvpn啓動用戶可讀取該文件：

# cat pass_file   
test1:123456
test2:12345678
 
# chmod 400 pass_file  
# chown nobody.nobody pass_file