OPENVPN基于用户名密码登陆

Read

最近在看openvpn的密码验证,度娘了一些资料,整理如下：

一、基于via-env

服务端配置：

$ grep -vE "^$|;|^#" /etc/openvpn/server.conf 
local 10.4.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key  # This file should be kept secret
dh /etc/openvpn/key/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/key/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
#user passwd login start#
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env     ###指定只用的认证脚本
client-cert-not-required
;username-as-common-name    #加不加均可,不影响实际效果
#user passwd login end#

$ grep -vE "^$|;|^#" /etc/openvpn/server.conf

local 10.4.0.4

port 1194

proto tcp

dev tun

ca /etc/openvpn/key/ca.crt

cert /etc/openvpn/key/server.crt

key /etc/openvpn/key/server.key # This file should be kept secret

dh /etc/openvpn/key/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /tmp/ipp.txt

client-to-client

duplicate-cn

keepalive 10 120

tls-auth /etc/openvpn/key/ta.key 0 # This file is secret

cipher AES-256-CBC

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

#user passwd login start#

script-security 3

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env ###指定只用的认证脚本

client-cert-not-required

;username-as-common-name #加不加均可,不影响实际效果

#user passwd login end#

SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

二、基于via-file

1：ovpnauth.sh初始化配置

$ chmod +x ovpnauth.sh $ sh ovpnauth.sh md5 admin a17c44f7fa78230350f97bcd6ab4835a $ sh ovpnauth.sh md5 123456 dd992721bd45eaad8128aac323d06b7a $ echo "byrd=a17c44f7fa78230350f97bcd6ab4835a" >> /etc/openvpn/ovpnauth.conf $ echo "ak47=dd992721bd45eaad8128aac323d06b7a" >> /etc/openvpn/ovpnauth.conf $ cat /etc/openvpn/ovpnauth.conf byrd=a17c44f7fa78230350f97bcd6ab4835a ak47=dd992721bd45eaad8128aac323d06b7a

0
1
2
3
4
5
6
7
8
9

$ chmod +x ovpnauth.sh
$ sh ovpnauth.sh md5 admin
a17c44f7fa78230350f97bcd6ab4835a
$ sh ovpnauth.sh md5 123456
dd992721bd45eaad8128aac323d06b7a
$ echo "byrd=a17c44f7fa78230350f97bcd6ab4835a" >> /etc/openvpn/ovpnauth.conf
$ echo "ak47=dd992721bd45eaad8128aac323d06b7a" >> /etc/openvpn/ovpnauth.conf
$ cat /etc/openvpn/ovpnauth.conf
byrd=a17c44f7fa78230350f97bcd6ab4835a
ak47=dd992721bd45eaad8128aac323d06b7a

2：openvpn服务端配置

$ grep -vE "^$|;|^#" /etc/openvpn/server.conf local 10.4.0.4 port 1194 proto tcp dev tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/server.crt key /etc/openvpn/key/server.key # This file should be kept secret dh /etc/openvpn/key/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /tmp/ipp.txt client-to-client duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/key/ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 3 # ovpnauth.sh start script-security 3 auth-user-pass-verify /etc/openvpn/ovpnauth.sh via-file username-as-common-name client-cert-not-required # ovpnauth.sh end

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

$ grep -vE "^$|;|^#" /etc/openvpn/server.conf
local 10.4.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key  # This file should be kept secret
dh /etc/openvpn/key/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/key/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# ovpnauth.sh start
script-security 3
auth-user-pass-verify /etc/openvpn/ovpnauth.sh via-file
username-as-common-name
client-cert-not-required
# ovpnauth.sh end

3：openvpn-auth.sh配置(/etc/openvpn/via-file为用户、密码存放)

$ chmod +x /etc/openvpn/openvpn-auth.sh $ read -p "Login:" Login;read -p "Password:" Password;[ -n "$Login" ] && [ -n "$Password" ] && echo -e "$Login\t$(echo $Password|md5sum|cut -f 1 -d ' ')">>/etc/openvpn/via-file Login:byrd Password:admin $ cat /etc/openvpn/via-file byrd 456b7016a916a4b178dd72b947c152b7 ak47 f447b20a7fcbf53a5d5be013ea0b15af

0
1
2
3
4
5
6

$ chmod +x /etc/openvpn/openvpn-auth.sh
$ read -p "Login:" Login;read -p "Password:" Password;[ -n "$Login" ] && [ -n "$Password" ] && echo -e "$Login\t$(echo $Password|md5sum|cut -f 1 -d ' ')">>/etc/openvpn/via-file
Login:byrd
Password:admin
$ cat /etc/openvpn/via-file
byrd    456b7016a916a4b178dd72b947c152b7
ak47    f447b20a7fcbf53a5d5be013ea0b15af

4：openvpn服务端配置

$ grep -vE "^$|;|^#" /etc/openvpn/server.conf local 10.4.0.4 port 1194 proto tcp dev tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/server.crt key /etc/openvpn/key/server.key # This file should be kept secret dh /etc/openvpn/key/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /tmp/ipp.txt client-to-client duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/key/ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 3 # openvpn-auth.sh start script-security 3 auth-user-pass-verify /etc/openvpn/openvpn-auth.sh via-file ;auth-user-pass-verify /etc/openvpn/openvpn-auth.sh via-env #也可以 username-as-common-name client-cert-not-required # openvpn-auth.sh end

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

$ grep -vE "^$|;|^#" /etc/openvpn/server.conf
local 10.4.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key  # This file should be kept secret
dh /etc/openvpn/key/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/key/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# openvpn-auth.sh start
script-security 3
auth-user-pass-verify /etc/openvpn/openvpn-auth.sh via-file
;auth-user-pass-verify /etc/openvpn/openvpn-auth.sh via-env    #也可以
username-as-common-name
client-cert-not-required
# openvpn-auth.sh end

SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

三、客户端配置

$ grep -vE "^$|;|#" /etc/openvpn/client.conf 
client
dev tun
proto tcp
remote 10.4.0.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/key/ca.crt
#cert /etc/openvpn/key/gd.crt
#key /etc/openvpn/key/gd.key
auth-user-pass    #使用用户密码认证
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

$ grep -vE "^$|;|#" /etc/openvpn/client.conf

client

dev tun

proto tcp

remote 10.4.0.4 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca /etc/openvpn/key/ca.crt

#cert /etc/openvpn/key/gd.crt

#key /etc/openvpn/key/gd.key

auth-user-pass #使用用户密码认证

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-CBC

comp-lzo

verb 3

SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

四、服务端脚本

1：via-env

$ cat checkpsw.sh #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/via-file" LOG_FILE="/tmp/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

$ cat checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/via-file"
LOG_FILE="/tmp/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

2：via-file

#!/bin/sh # Config parameters conf="/etc/openvpn/ovpnauth.conf" #账号密码配置文件 logfile="/tmp/ovpnauth.log" # End of config parameters if [ "$1" = "" ] || [ "$1" = "help" ] then echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db" echo " for use withauth-user-pass-verify via-file option" echo "" echo "help - prints help" echo "md5 password - to compute password md5 checksum" exit 1 fi md5(){ echo "$1.`uname -n`" > /tmp/$$.md5calc sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`" rm /tmp/$$.md5calc echo "$sum" } if [ "$1" = "md5" ] then echo `md5 $2` exit 1 fi log(){ echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile } logenv(){ enviroment="`env | awk '{printf "%s ", $0}'`" echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile } envr="`echo `env``" userpass=`cat $1` username=`echo $userpass | awk '{print $1}'` password=`echo $userpass | awk '{print $2}'` # computing password md5 password=`md5 $password` userpass=`cat $conf | grep $username= | awk -F= '{print $2}'` if [ "$password" = "$userpass" ] then log "OpenVPN authentication successfull: $username" logenv exit 0 fi log "OpenVPN authentication failed" log `cat $1` logenv exit 1

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

#!/bin/sh

# Config parameters

conf="/etc/openvpn/ovpnauth.conf"    #账号密码配置文件
logfile="/tmp/ovpnauth.log"

# End of config parameters

if [ "$1" = "" ] || [ "$1" = "help" ]
then
        echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
        echo "                   for use withauth-user-pass-verify via-file option"
        echo ""
        echo "help - prints help"
        echo "md5 password - to compute password md5 checksum"
        exit 1
fi

md5(){
        echo "$1.`uname -n`" > /tmp/$$.md5calc
        sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
        rm /tmp/$$.md5calc
        echo "$sum"
}

if [ "$1" = "md5" ]
then
        echo `md5 $2`
        exit 1
fi

log(){
        echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}

logenv(){
        enviroment="`env | awk '{printf "%s ", $0}'`"
        echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}

envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`

# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`

if [ "$password" = "$userpass" ]
then
        log "OpenVPN authentication successfull: $username"
        logenv
        exit 0
fi

log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1

SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/
补充：

$ sh /etc/openvpn/scripts/ovpnauth.sh md5 admin d27e3e5ace39a805e7ff23d9b9574f3a $ sh /etc/openvpn/scripts/ovpnauth.sh md5 123456 b1890ef7e2c0b37a9a9b6a20dbe6589d $ echo "ak47=b1890ef7e2c0b37a9a9b6a20dbe6589d" >> /etc/openvpn/ovpnauth.conf

0
1
2
3
4

$ sh /etc/openvpn/scripts/ovpnauth.sh md5 admin
d27e3e5ace39a805e7ff23d9b9574f3a
$ sh /etc/openvpn/scripts/ovpnauth.sh md5 123456
b1890ef7e2c0b37a9a9b6a20dbe6589d
$ echo "ak47=b1890ef7e2c0b37a9a9b6a20dbe6589d" >> /etc/openvpn/ovpnauth.conf

3：via-file or via-env both

$ cat openvpn-auth.sh #!/bin/bash # Script for OpenVPN user/client authentication process # Script version 1.00 Rafal Drzymala 2013 # # Changelog # 1.00 RD First stable code # # Example usage in UCI version: # server config pass credentials via file (is more secure) # # option 'script_security' '2' # option 'auth_user_pass_verify' '/bin/openvpn-auth.sh via-file' # # or pass credentials via environment variables # # option 'script_security' '3' # option 'auth_user_pass_verify' '/bin/openvpn-auth.sh via-env' # # Remember you have to add 'auth-user-pass' option in client config file. # # Destination /bin/openvpn-auth.sh # if [ "$script_type" == "user-pass-verify" ]; then LARG="" PNAME=$(basename $0) for PARG in $(pgrep -s $PPID -fl) do [ "$LARG" == "--syslog" ] && PNAME=$PARG && break LARG=$PARG done PEER="$common_name $untrusted_ip:$untrusted_port" logger -p user.notice -t $PNAME "$PEER Start authentication" if [ "$1" == "" ]; then logger -p user.notice -t $PNAME "$PEER Authentication using variables" elif [ -e "$1" ]; then logger -p user.notice -t $PNAME "$PEER Authentication using file $1" username=$(awk 'NR==1' $1) password=$(awk 'NR==2' $1) else logger -p user.error -t $PNAME "$PEER Invalid parameters" exit 1 fi if [ "$username" == "" ]; then logger -p user.error -t $PNAME "$PEER User name isn't set" exit 1 fi if [ "$password" == "" ]; then logger -p user.error -t $PNAME "$PEER Password isn't set" exit 1 fi hashinput=$(echo "$password" | md5sum | cut -d " " -f 1) if [ "$hashinput" == "" ]; then logger -p user.error -t $PNAME "$PEER Hash from password isn't set" exit 1 fi hashuser=$(awk -v USER="$username" -F $'\t' '$1==USER {print $2}' /etc/openvpn/via-file) if [ "$hashuser" == "" ]; then logger -p user.notice -t $PNAME "$PEER User '$username' not found" exit 1 fi if [ "$hashuser" == "$hashinput" ]; then logger -p user.notice -t $PNAME "$PEER User $username authenticated" exit 0 else logger -p user.notice -t $PNAME "$PEER Invalid password for user $username" exit 1 fi elif [ "$script_type" != "" ]; then logger -p user.error -t $PNAME "$PEER Invalid script type '$script_type'" exit 1 else exit 1 fi # Done

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

$ cat openvpn-auth.sh
#!/bin/bash
# Script for OpenVPN user/client authentication process
# Script version 1.00 Rafal Drzymala 2013
#
# Changelog
#   1.00    RD  First stable code
#
# Example usage in UCI version:
# server config pass credentials via file (is more secure)
#
#   option 'script_security' '2'
#   option 'auth_user_pass_verify' '/bin/openvpn-auth.sh via-file'
#
# or pass credentials via environment variables
#
#   option 'script_security' '3'
#   option 'auth_user_pass_verify' '/bin/openvpn-auth.sh via-env'
#
# Remember you have to add 'auth-user-pass' option in client config file.
#
# Destination /bin/openvpn-auth.sh
#
if [ "$script_type" == "user-pass-verify" ]; then
    LARG=""
    PNAME=$(basename $0)
    for PARG in $(pgrep -s $PPID -fl)
    do
        [ "$LARG" == "--syslog" ] && PNAME=$PARG && break
        LARG=$PARG
    done
    PEER="$common_name $untrusted_ip:$untrusted_port"
    logger -p user.notice -t $PNAME "$PEER Start authentication"
    if [ "$1" == "" ]; then
        logger -p user.notice -t $PNAME "$PEER Authentication using variables"
    elif [ -e "$1" ]; then
        logger -p user.notice -t $PNAME "$PEER Authentication using file $1"
        username=$(awk 'NR==1' $1)
        password=$(awk 'NR==2' $1)
    else
        logger -p user.error -t $PNAME "$PEER Invalid parameters"
        exit 1
    fi
    if [ "$username" == "" ]; then
        logger -p user.error -t $PNAME "$PEER User name isn't set"
        exit 1
    fi
    if [ "$password" == "" ]; then
        logger -p user.error -t $PNAME "$PEER Password isn't set"
        exit 1
    fi
    hashinput=$(echo "$password" | md5sum | cut -d " " -f 1)
    if [ "$hashinput" == "" ]; then
        logger -p user.error -t $PNAME "$PEER Hash from password isn't set"
        exit 1
    fi
    hashuser=$(awk -v USER="$username" -F $'\t' '$1==USER {print $2}' /etc/openvpn/via-file)
    if [ "$hashuser" == "" ]; then
        logger -p user.notice -t $PNAME "$PEER User '$username' not found"
        exit 1
    fi
    if [ "$hashuser" == "$hashinput" ]; then
        logger -p user.notice -t $PNAME "$PEER User $username authenticated"
        exit 0
    else
        logger -p user.notice -t $PNAME "$PEER Invalid password for user $username"
        exit 1
    fi
elif [ "$script_type" != "" ]; then
    logger -p user.error -t $PNAME "$PEER Invalid script type '$script_type'"
    exit 1
else
    exit 1
fi
# Done

SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

五、常见问题QA

错误：

WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.

0

WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.

解决方法：

script-security 3

0

script-security 3

错误：

OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate

0

OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate

解决方法：

client-cert-not-required #不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行,相对双向认证不安全

0

client-cert-not-required #不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行,相对双向认证不安全

错误：

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1

0

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1

解决方法：

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

0

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

服务端注意事项：(非必须)SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

1：开启push "redirect-gateway def1 bypass-dhcp bypass-dns"
2：开启转发功能sysctl -w net.ipv4.ip_forward=1
3：开启NAT映射 SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/

参考文档：
1：https://github.com/troydm/ovpnauth.sh/blob/master/README
2：https://github.com/Rafciq/openwrt/tree/master/openvpnSourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/ SourceByrd's Weblog-https://note.t4x.org/service/openvpn-user-and-password-login/