發佈於 作者: t850008

建置使用帳號及密碼認證的 OpenVPN Server

參考網站:
CentOS7 搭建OpenVPN | HuaChao’s Blog

之前的設定可以參考  頭城國小資訊組 | 試用 Banana Pi R1 – Ubuntu minimal 16.04 上安裝 OpenVPN,這裡只針對剩餘的部份做修改
1. 修改 /etc/openvpn/server.conf 設定檔
     auth-user-pass-verify 指定要認證的程式碼,及使用何種帳密傳遞的方式
     client-cert-not-required
     username-as-common-name
# echo -e “n# 使用帳號密碼做認證nscript-security 3 systemnauth-user-pass-veri
fy /etc/openvpn/checkpsw.sh via-envn;client-cert-not-requirednusername-as-comm
on-name” >> /etc/openvpn/server.conf
[@more@]2. 建立密碼檢查程式
# vim /etc/openvpn/checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file "${PASSFILE}" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username="${username}", password="${password}"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username="${username}"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username="${username}", password="${password}"." >> ${LOG_FILE}
exit 1

3. 更改檔案權限
# chmod +x /etc/openvpn/checkpsw.sh

4. 建立密碼檔 /etc/openvpn/psw-file
格式:帳號 密碼
# cat /etc/openvpn/psw-file
test 123123

5. 檢查 /etc/openvpn/server.conf 設定檔是否正確
# openvpn –config /etc/openvpn/server.conf

6. 重新啟動 OpenVPN Server
# systemctl restart openvpn@server.service

7. 修改使用端檔案 xxx.ovpn 加入下面幾行
resolv-retry infinite
nobind
auth-user-pass
auth-nocache
mute-replay-warnings
ns-cert-type server
reneg-sec 0

8. 測試

經過測試,似乎帳號認證無法與憑證認證併存!?