OPENVPN基于用户名密码登陆

  • A+
所属分类:Service

最近在看openvpn的密码验证,度娘了一些资料,整理如下:

一、基于via-env

服务端配置:

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ grep -vE "^$|;|^#" /etc/openvpn/server.conf
local 10.4.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key  # This file should be kept secret
dh /etc/openvpn/key/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/key/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
#user passwd login start#
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env     ###指定只用的认证脚本
client-cert-not-required
;username-as-common-name    #加不加均可,不影响实际效果
#user passwd login end#

二、基于via-file

1:ovpnauth.sh初始化配置

0
1
2
3
4
5
6
7
8
9
$ chmod +x ovpnauth.sh
$ sh ovpnauth.sh md5 admin
a17c44f7fa78230350f97bcd6ab4835a
$ sh ovpnauth.sh md5 123456
dd992721bd45eaad8128aac323d06b7a
$ echo "byrd=a17c44f7fa78230350f97bcd6ab4835a" >> /etc/openvpn/ovpnauth.conf        
$ echo "ak47=dd992721bd45eaad8128aac323d06b7a" >> /etc/openvpn/ovpnauth.conf
$ cat /etc/openvpn/ovpnauth.conf
byrd=a17c44f7fa78230350f97bcd6ab4835a
ak47=dd992721bd45eaad8128aac323d06b7a

2:openvpn服务端配置

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ grep -vE "^$|;|^#" /etc/openvpn/server.conf
local 10.4.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key  # This file should be kept secret
dh /etc/openvpn/key/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/key/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# ovpnauth.sh start
script-security 3
auth-user-pass-verify /etc/openvpn/ovpnauth.sh via-file
username-as-common-name
client-cert-not-required
# ovpnauth.sh end

3:openvpn-auth.sh配置(/etc/openvpn/via-file为用户、密码存放)

0
1
2
3
4
5
6
$ chmod +x /etc/openvpn/openvpn-auth.sh
$ read -p "Login:" Login;read -p "Password:" Password;[ -n "$Login" ] && [ -n "$Password" ] && echo -e "$Login\t$(echo $Password|md5sum|cut -f 1 -d ' ')">>/etc/openvpn/via-file
Login:byrd
Password:admin
$ cat /etc/openvpn/via-file
byrd    456b7016a916a4b178dd72b947c152b7
ak47    f447b20a7fcbf53a5d5be013ea0b15af

4:openvpn服务端配置

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ grep -vE "^$|;|^#" /etc/openvpn/server.conf
local 10.4.0.4
port 1194
proto tcp
dev tun
ca /etc/openvpn/key/ca.crt
cert /etc/openvpn/key/server.crt
key /etc/openvpn/key/server.key  # This file should be kept secret
dh /etc/openvpn/key/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/key/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# openvpn-auth.sh start
script-security 3
auth-user-pass-verify /etc/openvpn/openvpn-auth.sh via-file
;auth-user-pass-verify /etc/openvpn/openvpn-auth.sh via-env    #也可以
username-as-common-name
client-cert-not-required
# openvpn-auth.sh end

三、客户端配置

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ grep -vE "^$|;|#" /etc/openvpn/client.conf
client
dev tun
proto tcp
remote 10.4.0.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/key/ca.crt
#cert /etc/openvpn/key/gd.crt
#key /etc/openvpn/key/gd.key
auth-user-pass    #使用用户密码认证
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

四、服务端脚本

1:via-env

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ cat checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/via-file"
LOG_FILE="/tmp/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

2:via-file

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/sh
 
# Config parameters
 
conf="/etc/openvpn/ovpnauth.conf"
logfile="/tmp/ovpnauth.log"
 
# End of config parameters
 
if [ "$1" = "" ] || [ "$1" = "help" ]
then
        echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
        echo "                   for use withauth-user-pass-verify via-file option"
        echo ""
        echo "help - prints help"
        echo "md5 password - to compute password md5 checksum"
        exit 1
fi
 
md5(){
        echo "$1.`uname -n`" > /tmp/$$.md5calc
        sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
        rm /tmp/$$.md5calc
        echo "$sum"
}
 
if [ "$1" = "md5" ]
then
        echo `md5 $2`
        exit 1
fi
 
log(){
        echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}
 
logenv(){
        enviroment="`env | awk '{printf "%s ", $0}'`"
        echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}
 
envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`
 
# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`
 
if [ "$password" = "$userpass" ]
then
        log "OpenVPN authentication successfull: $username"
        logenv
        exit 0
fi
 
log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1

3:via-file or via-env both

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
$ cat openvpn-auth.sh
#!/bin/bash
# Script for OpenVPN user/client authentication process
# Script version 1.00 Rafal Drzymala 2013
#
# Changelog
#   1.00    RD  First stable code
#
# Example usage in UCI version:
# server config pass credentials via file (is more secure)
#
#   option 'script_security' '2'
#   option 'auth_user_pass_verify' '/bin/openvpn-auth.sh via-file'
#
# or pass credentials via environment variables
#
#   option 'script_security' '3'
#   option 'auth_user_pass_verify' '/bin/openvpn-auth.sh via-env'
#
# Remember you have to add 'auth-user-pass' option in client config file.
#
# Destination /bin/openvpn-auth.sh
#
if [ "$script_type" == "user-pass-verify" ]; then
    LARG=""
    PNAME=$(basename $0)
    for PARG in $(pgrep -s $PPID -fl)
    do
        [ "$LARG" == "--syslog" ] && PNAME=$PARG && break
        LARG=$PARG
    done
    PEER="$common_name $untrusted_ip:$untrusted_port"
    logger -p user.notice -t $PNAME "$PEER Start authentication"
    if [ "$1" == "" ]; then
        logger -p user.notice -t $PNAME "$PEER Authentication using variables"
    elif [ -e "$1" ]; then
        logger -p user.notice -t $PNAME "$PEER Authentication using file $1"
        username=$(awk 'NR==1' $1)
        password=$(awk 'NR==2' $1)
    else
        logger -p user.error -t $PNAME "$PEER Invalid parameters"
        exit 1
    fi
    if [ "$username" == "" ]; then
        logger -p user.error -t $PNAME "$PEER User name isn't set"
        exit 1
    fi
    if [ "$password" == "" ]; then
        logger -p user.error -t $PNAME "$PEER Password isn't set"
        exit 1
    fi
    hashinput=$(echo "$password" | md5sum | cut -d " " -f 1)
    if [ "$hashinput" == "" ]; then
        logger -p user.error -t $PNAME "$PEER Hash from password isn't set"
        exit 1
    fi
    hashuser=$(awk -v USER="$username" -F $'\t' '$1==USER {print $2}' /etc/openvpn/via-file)
    if [ "$hashuser" == "" ]; then
        logger -p user.notice -t $PNAME "$PEER User '$username' not found"
        exit 1
    fi
    if [ "$hashuser" == "$hashinput" ]; then
        logger -p user.notice -t $PNAME "$PEER User $username authenticated"
        exit 0
    else
        logger -p user.notice -t $PNAME "$PEER Invalid password for user $username"
        exit 1
    fi
elif [ "$script_type" != "" ]; then
    logger -p user.error -t $PNAME "$PEER Invalid script type '$script_type'"
    exit 1
else
    exit 1
fi
# Done

五、常见问题QA

错误:

0
WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.

解决方法:

0
script-security 3

错误:

0
OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate

解决方法:

0
client-cert-not-required    #不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行,相对双向认证不安全

错误:

0
WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1

解决方法:

0
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

服务端注意事项:(非必须)

1:开启push "redirect-gateway def1 bypass-dhcp bypass-dns"
2:开启转发功能sysctl -w net.ipv4.ip_forward=1
3:开启NAT映射

参考文档:
1:https://github.com/troydm/ovpnauth.sh/blob/master/README
2:https://github.com/Rafciq/openwrt/tree/master/openvpn

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: