默认openvpn是不提供账户密码的验证方式的,为了提高vpn的安全性,一般都会同时验证证书和账户名密码。
用账户名密码验证的原理:
1.使用密码文件做验证:在server端 生成保存用户密码的文件,然后用户拨vpn的时候,server端调用检查用户名密码的脚本,这个脚本通过openvpn拿到用户名和密码之后,在密码文件中查找用户名,并比较密码,如果密码匹配,则通过验证。此方法配置比较简单,缺点是密码是明文的,可以随意添加更改
配置方法:
1.使用密码文件验证:
1)生成密码文件,并设置权限,确保openvpn的运行用户可以读取该文件
echo "fuzj fuzj123" >>psw-file
chmod 400
psw-file
chown nobody.nobody
psw-file
2) 下载验证使用的脚本,并设置执行权限
wget
http://openvpn.se/files/other/checkpsw.sh
chmod a+x
checkpsw.sh
3)修改server.conf,添加验证参数
script-security 3 #
加入脚本处理
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #
指定使用的认证脚本
username-as-common-name #
使用客户提供的UserName作为Common Name
client-cert-not-required #####不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行
4)重启openvpn服务
/etc/init.d/openvpn restart
5)客户端添加使用用户名密码验证的参数
auth-user-pass
附:
checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
同样原理。也可以直接把用户名密码放库里面进行查询
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
CORRECT_PASSWORD=`mysql -u guest -pguest -h 192.168.254.5 -P 3306 -e "select Password from sadb.user where Name='${username}';" | sed '/Password/d'`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "$CORRECT_PASSWORD ${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1