LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 2213|回复: 0

OpenBSD下建立基于系统用户名验证OpenVPN网络

[复制链接]
发表于 2008-11-13 15:54:13 | 显示全部楼层 |阅读模式
原本地址:http://blog.chinaunix.net/u/525/showart_1412255.html
linyin的个人主页:http://linyin.8800.org

实现环境:
# uname -a
OpenBSD linyin.8800.org 4.3 GENERIC.MP#0 i386

# /usr/local/sbin/openvpn --version
OpenVPN 2.0.9 i386-unknown-openbsd4.3 [SSL] [LZO] built on Nov 11 2008
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

所需安装软件:
openvpn(pkg_add安装) bash(pkg_add安装) gmake(pkg_add安装) auth-passwd(auth-passwd.sourceforge.net)

配置Openvpn:
建立OpenVPN目录
# mkdir /etc/openvpn
复制OpenVPN提供生成密钥和证书的脚本到/etc/openvpn
# cp –r /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn/
编辑/etc/openvpn/easy-rsa/vars,修改如下:
export KEY_COUNTRY=CN
export KEY_PROVINCE=JS
export KEY_CITY=Soochow
export KEY_ORG="Linyin-Lab"
export KEY_EMAIL="linyin@linyin.org"

切换到bash shell下,建立证书:
# bash

使vars配置生效
bash-3.2# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

清除已经存在的密钥和证书
bash-3.2# ./clean-all

建立CA
bash-3.2# ./build-ca
Generating a 1024 bit RSA private key
.++++++
..................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:CA
Email Address [linyin@linyin.org]:
在/etc/openvpn/easy-rsa/keys目录中生成ca.crt和ca.key.生成的密钥都在/etc/openvpn/easy-rsa/keys目录中.

生成用于服务器的密钥
bash-3.2# ./build-key-server server
Generating a 1024 bit RSA private key
.......................++++++
..++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your server's hostname) []:server
Email Address [linyin@linyin.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'JS'
localityName RINTABLE:'Soochow'
organizationName RINTABLE:'Linyin-Lab'
organizationalUnitNameRINTABLE:'OpenVPN'
commonName RINTABLE:'server'
emailAddress :IA5STRING:'linyin@linyin.org'
Certificate is to be certified until Dec 3 11:10:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y

服务器生成Diffie Hellman parameters,在/etc/openvpn/easy-rsa/keys目录中生成dh1024.pem文件
bash-3.2# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+.............................................................................
.............+.......................+..........................+......................................................................++*++*++*

防止 DoS 攻击 和 UDP 端口 flooding,生成一个"HMAC firewall"
bash-3.2# openvpn --genkey --secret easy-rsa/ta.key

配置OpenVPN基于系统用户名验证插件:
http://sourceforge.net/projects/ ... auth-passwd文件
解压缩至OpenVPN源码文件中plugin目录下.
编辑Makefile文件,将其中USE_SHADOW=1修改成USE_SHADOW=0
在auth-passwd源码目录下使用gmake编译,会生成openvpn-auth-passwd.so这个文件,将其复制到/etc/openvpn目录下

建立openvpn用户组:
bash-3.2# groupadd -ov -g 1000 openvpn
注意这里的1000,如果存在,可改用其他数字

建立OpenVPN服务器端配置文件:
bash-3.2# vi /etc/openvpn/server.conf
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
plugin /etc/openvpn/openvpn-auth-passwd.so openvpn
client-to-client
client-cert-not-required
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

测试OpenVPN服务器端:
bash-3.2# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf --cd /etc/openvpn &
如出现:Initialization Sequence Completed 表示服务器启动成功.

配置PF:
将#net.inet.ip.forwarding=1中#注释去掉
bash-3.2# vi /etc/sysctl.conf
添加舒服转发
bash-3.2# vi /etc/pf.conf,注意我的网卡是em0,添加:
ext_if="em0"
int_if="tun0"
internal_net="10.8.0.0/24"
nat on $ext_if from 10.8.0.0/24 to any -> $ext_if
pass quick on lo0 all

配置OpenVPN客户端:
将服务器中/etc/openvpn/easy-rsa/keys/ca.crt,/etc/openvpn/easy-rsa/keys/ta.key保存到本地,建立客户端文件linyin.ovpn,内容如下
client
dev tun0
proto tcp
remote linyin.8800.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
auth-user-pass
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
comp-lzo
verb 3

使用系统用户登录VPN服务器:
bash-3.2# vi /etc/group
openvpn:*:1000:linyin
这样我可以使用系统中的linyin用户远程登录VPN服务器,不需要证书,只需通过密码验证.

如果不想使用VPN做远程网关,可以注释掉server.conf中的push "redirect-gateway def1".
除此之外,大家还可以尝试其他的验证方法:
openvpn-auth-ldap : http://code.google.com/p/openvpn-auth-ldap/
openvpn_bsdauth : OpenBSD ports里/usr/ports/net/openvpn_bsdauth/
其中openvpn-auth-ldap编译安装前需安装gobjc包.


主要全部步骤设置完毕,现在可以正式启用.文章比较粗燥,不能照顾到全部的重点和细节.有问题的朋友可以和我交流. =)
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表