文章目录

1, 配置服务端

a, 生成密钥和证书：服务端，ca，客户端
b, 配置server.conf
c, 收集客户端：密钥文件，并发送到客户端

2, 配置客户端

客户端连接报错：TLS Error: TLS handshake failed

3, 设置用户名，密码

角色	服务器说明	虚拟网段
服务端	server: centos6, 192.168.56.160	10.8.0.1
客户端	client: centos6, 192.168.100.160	10.8.0.6

1, 配置服务端

a, 生成密钥和证书：服务端，ca，客户端

[root@server easy-rsa]# wget  https://mirrors.aliyun.com/repo/epel-6.repo  -O /etc/yum.repos.d/epel.repo
[root@server easy-rsa]# yum install easy-rsa openssh-server lzo openssl openssl-devel openv NetworkManager-openv openv-auth-ldap -y

#第一步：使用easy-rsa生产密钥证书
[root@server easy-rsa]# cp -ra /usr/share/easy-rsa/ /etc/openv/
[root@server easy-rsa]# ls /etc/openv/easy-rsa/
3  3.0  3.0.7
[root@server easy-rsa]# cp /usr/share/doc/easy-rsa-3.0.7/vars.example /etc/openv/easy-rsa/
[root@server ~]# cat /etc/openv/easy-rsa/3/vars
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "BJ"
set_var EASYRSA_REQ_CITY "BJ"
set_var EASYRSA_REQ_ORG "my.com"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "admin"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "admin"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"

[root@server ~]# cd /etc/openv/easy-rsa/3.0
[root@server 3.0]# ls
easyrsa  openssl-easyrsa.cnf  vars  vars.example  x509-types
[root@server 3.0]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openv/easy-rsa/3.0.7/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openv/easy-rsa/3.0/pki
[root@server 3.0]# tree pki/
pki/
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 1 file

[root@server 3.0]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openv/easy-rsa/3.0.7/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
............+++
.....................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:admin
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openv/easy-rsa/3.0/pki/ca.crt
[root@server 3.0]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── private
│   └── ca.key
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 6 files

[root@server 3.0]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openv/easy-rsa/3.0.7/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................+....................
DH parameters of size 2048 created at /etc/openv/easy-rsa/3.0/pki/dh.pem

[root@server 3.0]# ./easyrsa gen-req server 
Note: using Easy-RSA configuration from: /etc/openv/easy-rsa/3.0.7/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Generating a 2048 bit RSA private key
...................+++
..............+++
writing new private key to '/etc/openv/easy-rsa/3.0/pki/easy-rsa-2265.OVhdjU/tmp.A55Lvw'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:admin
Keypair and certificate request completed. Your files are:
req: /etc/openv/easy-rsa/3.0/pki/reqs/server.req
key: /etc/openv/easy-rsa/3.0/pki/private/server.key

[root@server 3.0]# ./easyrsa sign-req server server
Note: using Easy-RSA configuration from: /etc/openv/easy-rsa/3.0.7/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
    commonName                = admin
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openv/easy-rsa/3.0/pki/easy-rsa-2297.B7w1Kq/tmp.56mi68
Enter pass phrase for /etc/openv/easy-rsa/3.0/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'admin'
Certificate is to be certified until Aug 17 02:40:26 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openv/easy-rsa/3.0/pki/issued/server.crt


[root@server 3.0]# ./easyrsa build-client-full client
Note: using Easy-RSA configuration from: /etc/openv/easy-rsa/3.0.7/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Generating a 2048 bit RSA private key
..........................................................+++
.+++
writing new private key to '/etc/openv/easy-rsa/3.0/pki/easy-rsa-2370.ltz6M9/tmp.QuYFoL'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openv/easy-rsa/3.0/pki/easy-rsa-2370.ltz6M9/tmp.RJGjcs
Enter pass phrase for /etc/openv/easy-rsa/3.0/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client'
Certificate is to be certified until Aug 17 02:42:15 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

[root@server 3.0]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
│   ├── 5A7C5B8253E8B6CED2389A7809D59084.pem
│   └── 8DCD7B371E16FD1C1B2ECA6401032982.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│   ├── client.crt
│   └── server.crt
├── private
│   ├── ca.key
│   ├── client.key
│   └── server.key
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
│   ├── client.req
│   └── server.req
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old

b, 配置server.conf

#第二步：配置server.conf, 启动openv服务端
[root@server 3.0]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@server 3.0]# sysctl -p
[root@server ~]# cat /etc/openv/server.conf |grep -Ev '^#|^;|^$'
port 1194
proto udp
dev tun
ca /etc/openv/easy-rsa/3.0/pki/ca.crt
cert /etc/openv/easy-rsa/3.0/pki/issued/server.crt
key /etc/openv/easy-rsa/3.0/pki/private/server.key
dh /etc/openv/easy-rsa/3.0/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
max-clients 100
user openv
group openv
persist-key
persist-tun
status openv-status.log
log-append openv.log
verb 6
mute 20
[root@server ~]# /etc/init.d/openv start
[root@server ~]# tailf openv.log
Wed Aug 19 03:04:39 2020 us=293169   remote_port = '1194'
Wed Aug 19 03:04:39 2020 us=293173   remote_float = DISABLED
Wed Aug 19 03:04:39 2020 us=293176   bind_defined = DISABLED
Wed Aug 19 03:04:39 2020 us=293180 NOTE: --mute triggered...
Wed Aug 19 03:04:39 2020 us=293187 271 variation(s) on previous 20 message(s) suppressed by --mute
Wed Aug 19 03:04:39 2020 us=293192 openv 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Wed Aug 19 03:04:39 2020 us=293198 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Wed Aug 19 03:04:39 2020 us=297296 Diffie-Hellman initialized with 2048 bit key
Wed Aug 19 03:04:39 2020 us=297495 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Wed Aug 19 03:04:39 2020 us=297503 Exiting due to fatal error

#-----修改启动参数
[root@server ~]# grep askpass /etc/init.d/openv
            $openv --daemon --askpass /etc/openv/pass.txt --writepid $piddir/$bn.pid --cd $work --config $c $script_security
[root@server ~]# cat /etc/openv/pass.txt
123456

#=======正常启动
[root@server ~]# ip a
...
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/[65534]
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

[root@server ~]# ss -nltup |grep vpm
udp    UNCONN     0      0                      *:1194                  *:*      users:(("openv",2782,6))

c, 收集客户端：密钥文件，并发送到客户端

##### 汇总客户端需要的：密钥文件，
[root@server ~]# ls -F  /etc/openv/easy-rsa/3.0/
easyrsa*  openssl-1.0.cnf  openssl-easyrsa.cnf  pki/  ta.key  vars  vars.example  x509-types/

[root@server ~]#  ls -F  /etc/openv/easy-rsa/3.0/pki/
ca.crt            dh.pem     index.txt.attr      index.txt.old  private/  reqs/     safessl-easyrsa.cnf  serial.old
certs_by_serial/  index.txt  index.txt.attr.old  issued/        renewed/  revoked/  serial

[root@server 3.0]# ls  /etc/openv/easy-rsa/3.0/pki/private/
ca.key  client.key  server.key

[root@server ~]# ls /etc/openv/easy-rsa/3.0/pki/issued/
client.crt  server.crt

## 把这些密钥文件，分发给客户端
[root@server 3.0]# mkdir -p /etc/openv/client
[root@server 3.0]# ls /etc/openv/client/
ca.crt  client.crt  client.key  ta.key
[root@server 3.0]# scp -r  client/  client:/etc/openv/
ca.crt                100% 1147     1.1KB/s   00:00
client.crt            100% 4404     4.3KB/s   00:00
client.key            100% 1834     1.8KB/s   00:00
ta.key                100%  636     0.6KB/s   00:00

2, 配置客户端

[root@client ~]# wget  https://mirrors.aliyun.com/repo/epel-6.repo  -O /etc/yum.repos.d/epel.repo
[root@client ~]# yum install easy-rsa openssh-server lzo openssl openssl-devel openv NetworkManager-openv openv-auth-ldap -y

#=====客户端vpm配置
[root@vpm2 ~]# grep -Ev '^;|^$|^#' /etc/openv/client.conf
client
dev tun
proto udp
remote 192.168.56.160 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openv/client/ca.crt
cert /etc/openv/client/client.crt
key /etc/openv/client/client.key
tls-auth /etc/openv/client/ta.key 1
cipher AES-256-CBC
comp-lzo
verb 6
mute 20

[root@client ~]# ip a
...
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/[65534]
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0

客户端连接报错：TLS Error: TLS handshake failed

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

[root@client ~]# openv --config client.conf
Wed Aug 19 03:43:32 2020 us=69615 Current Parameter Settings:
Wed Aug 19 03:43:32 2020 us=69653   config = 'client.conf'
Wed Aug 19 03:43:32 2020 us=69659   mode = 0
Wed Aug 19 03:43:32 2020 us=69663   persist_config = DISABLED
Wed Aug 19 03:43:32 2020 us=69666   persist_mode = 1
Wed Aug 19 03:43:32 2020 us=69670   show_ciphers = DISABLED
Wed Aug 19 03:43:32 2020 us=69674   show_digests = DISABLED
Wed Aug 19 03:43:32 2020 us=69678   show_engines = DISABLED
Wed Aug 19 03:43:32 2020 us=69681   genkey = DISABLED
Wed Aug 19 03:43:32 2020 us=69685   key_pass_file = '[UNDEF]'
Wed Aug 19 03:43:32 2020 us=69688   show_tls_ciphers = DISABLED
Wed Aug 19 03:43:32 2020 us=69692   connect_retry_max = 0
Wed Aug 19 03:43:32 2020 us=69696 Connection profiles [0]:
Wed Aug 19 03:43:32 2020 us=69701   proto = udp
Wed Aug 19 03:43:32 2020 us=69704   local = '[UNDEF]'
Wed Aug 19 03:43:32 2020 us=69708   local_port = '1194'
Wed Aug 19 03:43:32 2020 us=69712   remote = '192.168.56.160'
Wed Aug 19 03:43:32 2020 us=69716   remote_port = '1194'
Wed Aug 19 03:43:32 2020 us=69719   remote_float = DISABLED
Wed Aug 19 03:43:32 2020 us=69723   bind_defined = DISABLED
Wed Aug 19 03:43:32 2020 us=69726 NOTE: --mute triggered...
Wed Aug 19 03:43:32 2020 us=69733 263 variation(s) on previous 20 message(s) suppressed by --mute
Wed Aug 19 03:43:32 2020 us=69738 openv 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Wed Aug 19 03:43:32 2020 us=69744 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Wed Aug 19 03:43:32 2020 us=69787 WARNING: No server certificate verification method has been enabled.  See http://openv.net/howto.html#mitm for more info.
Enter Private Key Password:
Wed Aug 19 03:43:35 2020 us=211595 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug 19 03:43:35 2020 us=215409 LZO compression initializing
Wed Aug 19 03:43:35 2020 us=215449 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Aug 19 03:43:35 2020 us=219397 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Aug 19 03:43:35 2020 us=219419 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Aug 19 03:43:35 2020 us=219424 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Aug 19 03:43:35 2020 us=219436 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.56.160:1194
Wed Aug 19 03:43:35 2020 us=219448 Socket Buffers: R=[124928->124928] S=[124928->124928]
Wed Aug 19 03:43:35 2020 us=219890 UDP link local (bound): [AF_INET][undef]:1194
Wed Aug 19 03:43:35 2020 us=219897 UDP link remote: [AF_INET]192.168.56.160:1194
Wed Aug 19 03:43:35 2020 us=219926 UDP WRITE [14] to [AF_INET]192.168.56.160:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 19 03:43:37 2020 us=531493 UDP WRITE [14] to [AF_INET]192.168.56.160:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 19 03:43:41 2020 us=4603 UDP WRITE [14] to [AF_INET]192.168.56.160:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 19 03:43:49 2020 us=377169 UDP WRITE [14] to [AF_INET]192.168.56.160:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 19 03:44:05 2020 us=389862 UDP WRITE [14] to [AF_INET]192.168.56.160:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Aug 19 03:44:35 2020 us=924059 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Aug 19 03:44:35 2020 us=924080 TLS Error: TLS handshake failed
Wed Aug 19 03:44:35 2020 us=924124 TCP/UDP: Closing socket
Wed Aug 19 03:44:35 2020 us=924141 SIGUSR1[soft,tls-error] received, process restarting

##查看服务端日志： TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.56.1:51950， 
#----解决： client.conf（添加tls-auth ta.key 1) 和server.conf (tls-auth ta.key 0) 验证配置要保持一致
[root@server ~]# tailf openv.log
Wed Aug 19 11:54:32 2020 us=422138 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Aug 19 11:54:32 2020 us=422154 Socket Buffers: R=[124928->124928] S=[124928->124928]
Wed Aug 19 11:54:32 2020 us=422167 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Aug 19 11:54:32 2020 us=422172 UDPv4 link remote: [AF_UNSPEC]
Wed Aug 19 11:54:32 2020 us=422181 GID set to openv
Wed Aug 19 11:54:32 2020 us=422189 UID set to openv
Wed Aug 19 11:54:32 2020 us=422197 MULTI: multi_init called, r=256 v=256
Wed Aug 19 11:54:32 2020 us=422215 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Aug 19 11:54:32 2020 us=422224 IFCONFIG POOL LIST
Wed Aug 19 11:54:32 2020 us=422240 Initialization Sequence Completed
Wed Aug 19 11:54:40 2020 us=108337 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.56.1:51950
Wed Aug 19 11:54:49 2020 us=234841 MULTI: multi_create_instance called
Wed Aug 19 11:54:49 2020 us=234896 192.168.56.1:51950 Re-using SSL/TLS context
Wed Aug 19 11:54:49 2020 us=234907 192.168.56.1:51950 LZO compression initializing
Wed Aug 19 11:54:49 2020 us=234996 192.168.56.1:51950 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Aug 19 11:54:49 2020 us=235005 192.168.56.1:51950 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Aug 19 11:54:49 2020 us=235025 192.168.56.1:51950 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Wed Aug 19 11:54:49 2020 us=235031 192.168.56.1:51950 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Wed Aug 19 11:54:49 2020 us=235053 192.168.56.1:51950 UDPv4 READ [42] from [AF_INET]192.168.56.1:51950: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Wed Aug 19 11:54:49 2020 us=235064 192.168.56.1:51950 TLS: Initial packet from [AF_INET]192.168.56.1:51950, sid=a3132b04 10c82e8b
Wed Aug 19 11:54:49 2020 us=235086 192.168.56.1:51950 UDPv4 WRITE [54] to [AF_INET]192.168.56.1:51950: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0

3, 设置用户名，密码

#======================用户名/密码
#============ server端：
[root@v1 easy-rsa]# tail -5 /etc/openv/server.conf
# use username and password login:用户名密码登录
script-security 3
auth-user-pass-verify /etc/openv/checkpsw.sh via-env
#client-cert-not-required
username-as-common-name

[root@v1 easy-rsa]# ll /etc/openv/checkpsw.sh
-rwxr-xr-x. 1 root root 885 Aug 20 00:13 /etc/openv/checkpsw.sh
[root@v1 easy-rsa]# cat /etc/openv/checkpsw.sh
#!/bin/bash
	PASSFILE="/etc/openv/user-pwd.txt" # 账号密码的路径
	LOG_FILE="/tmp/v-user-pwd.log" # 账号密码的日志
	TIME_STAMP=`date "+%Y-%m-%d %T"`
	
	if [ ! -r "${PASSFILE}" ]; then
	  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
	  exit 1
	fi
	CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
	if [ "${CORRECT_PASSWORD}" = "" ]; then
	  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
	  exit 1
	fi
	if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
	  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
	  exit 0
	fi
	echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
	exit 1

[root@v1 easy-rsa]# cat /etc/openv/user-pwd.txt
test 123456
wang wang



#============ client端：
[root@v2 ~]# tail /etc/openv/client.conf
auth-user-pass

[root@v2 ~]# service openv restart
Shutting down openv:                                     [  OK  ]
Starting openv: Enter Auth Username:wang
Enter Auth Password:
                                                           [  OK  ]
[root@v2 ~]# ip a
... 
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/[65534]
    inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0

CentOS6内网连接: 服务端，客户端

文章目录

1, 配置服务端

a, 生成密钥和证书：服务端，ca，客户端

b, 配置server.conf

c, 收集客户端：密钥文件，并发送到客户端

2, 配置客户端

客户端连接报错：TLS Error: TLS handshake failed

3, 设置用户名，密码

猜你喜欢