阿里云centos上搭建openvpn
使用证书加密码登录vpn需要以下步骤。
服务端配置:
第一步:
修改server.conf,添加如下代码:
script-security 3 auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #client-cert-not-required username-as-common-name
注:如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果将其去掉或注释掉,则代表需要证书和用户名密码双重验证登录!
第二步:
checkpsw.sh下载地址:http://openvpn.se/files/other/checkpsw.sh
如果下载不了就自己手动添加checkpsw.sh文件,内容如下:
#!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <[email protected]> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/etc/openvpn/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
第三步:
第三步:新建用户和密码认证文件,psw-file(这里的文件就是server.conf那个文件,注意存放时,路径和配置文件时的一致)
vim psw-file
test 123456 (前面是用户 后面是密码,以空格分开)
添加权限
chmod 777 psw-file
chown nobody.nobody psw-file
重启服务,/ect/init.d/openvpn restart。
客户端配置:
在client.ovpn里添加:
auth-user-pass
script-security 3
以管理员身份启动客户端,重新连接vpn。、
