OpenBSD下建立基于系统用户名验证OpenVPN网络
作者:linyin(linyin.8800.org)
出处为Linyin blog。
实现环境:
# uname -a
OpenBSD linyin.8800.org 4.3 GENERIC.MP#0 i386
# /usr/local/sbin/openvpn --version
OpenVPN 2.0.9 i386-unknown-openbsd4.3 [SSL] [LZO] built on Nov 11 2008
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
所需安装软件:
openvpn(pkg_add安装) bash(pkg_add安装) gmake(pkg_add安装) auth-passwd(auth-passwd.sourceforge.net)
配置Openvpn:
建立OpenVPN目录
# mkdir /etc/openvpn
复制OpenVPN提供生成密钥和证书的脚本到/etc/openvpn
# cp –r /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn/
编辑/etc/openvpn/easy-rsa/vars,修改如下:
export KEY_COUNTRY=CN
export KEY_PROVINCE=JS
export KEY_CITY=Soochow
export KEY_ORG="Linyin-Lab"
export KEY_EMAIL="linyin@linyin.org"
切换到bash shell下,建立证书:
# bash
使vars配置生效
bash-3.2# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
清除已经存在的密钥和证书
bash-3.2# ./clean-all
建立CA
bash-3.2# ./build-ca
Generating a 1024 bit RSA private key
.++++++
..................................................................++++++
writing new private key to ca.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your servers hostname) []:CA
Email Address [linyin@linyin.org]:
在/etc/openvpn/easy-rsa/keys目录中生成ca.crt和ca.key.生成的密钥都在/etc/openvpn/easy-rsa/keys目录中.
生成用于服务器的密钥
bash-3.2# ./build-key-server server
Generating a 1024 bit RSA private key
.......................++++++
..++++++
writing new private key to server.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your servers hostname) []:server
Email Address [linyin@linyin.org]:
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:CN
stateOrProvinceName :PRINTABLE:JS
localityName :PRINTABLE:Soochow
organizationName :PRINTABLE:Linyin-Lab
organizationalUnitName:PRINTABLE:OpenVPN
commonName :PRINTABLE:server
emailAddress :IA5STRING:linyin@linyin.org
Certificate is to be certified until Dec 3 11:10:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
服务器生成Diffie Hellman parameters,在/etc/openvpn/easy-rsa/keys目录中生成dh1024.pem文件
bash-3.2# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+.............................................................................
.............+.......................+..........................+......................................................................++*++*++*
防止 DoS 攻击 和 UDP 端口 flooding,生成一个"HMAC firewall"
bash-3.2# openvpn --genkey --secret easy-rsa/ta.key
配置OpenVPN基于系统用户名验证插件:
在http://sourceforge.net/projects/auth-passwd下载auth-passwd文件
解压缩至OpenVPN源码文件中plugin目录下.
编辑Makefile文件,将其中USE_SHADOW=1修改成USE_SHADOW=0
在auth-passwd源码目录下使用gmake编译,会生成openvpn-auth-passwd.so这个文件,将其复制到/etc/openvpn目录下
建立openvpn用户组:
bash-3.2# groupadd -ov -g 1000 openvpn
注意这里的1000,如果存在,可改用其他数字
建立OpenVPN服务器端配置文件:
bash-3.2# vi /etc/openvpn/server.conf
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
plugin /etc/openvpn/openvpn-auth-passwd.so openvpn
client-to-client
client-cert-not-required
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
测试OpenVPN服务器端:
bash-3.2# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf --cd /etc/openvpn &
如出现:Initialization Sequence Completed 表示服务器启动成功.
配置PF:
将#net.inet.ip.forwarding=1中#注释去掉
bash-3.2# vi /etc/sysctl.conf
添加舒服转发
bash-3.2# vi /etc/pf.conf,注意我的网卡是em0,添加:
ext_if="em0"
int_if="tun0"
internal_net="10.8.0.0/24"
nat on $ext_if from 10.8.0.0/24 to any -> $ext_if
pass quick on lo0 all
配置OpenVPN客户端:
将服务器中/etc/openvpn/easy-rsa/keys/ca.crt,/etc/openvpn/easy-rsa/keys/ta.key保存到本地,建立客户端文件linyin.ovpn,内容如下
client
dev tun0
proto tcp
remote linyin.8800.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
auth-user-pass
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
comp-lzo
verb 3
使用系统用户登录VPN服务器:
bash-3.2# vi /etc/group
openvpn:*:1000:linyin
这样我可以使用系统中的linyin用户远程登录VPN服务器,不需要证书,只需通过密码验证.
如果不想使用VPN做远程网关,可以注释掉server.conf中的push "redirect-gateway def1".
除此之外,大家还可以尝试其他的验证方法:
openvpn-auth-ldap : http://code.google.com/p/openvpn-auth-ldap/
openvpn_bsdauth : OpenBSD ports里/usr/ports/net/openvpn_bsdauth/
其中openvpn-auth-ldap编译安装前需安装gobjc包.
主要全部步骤设置完毕,现在可以正式启用.文章比较粗燥,不能照顾到全部的重点和细节.有问题的朋友可以和我交流. =)
出处为Linyin blog。
实现环境:
# uname -a
OpenBSD linyin.8800.org 4.3 GENERIC.MP#0 i386
# /usr/local/sbin/openvpn --version
OpenVPN 2.0.9 i386-unknown-openbsd4.3 [SSL] [LZO] built on Nov 11 2008
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
所需安装软件:
openvpn(pkg_add安装) bash(pkg_add安装) gmake(pkg_add安装) auth-passwd(auth-passwd.sourceforge.net)
配置Openvpn:
建立OpenVPN目录
# mkdir /etc/openvpn
复制OpenVPN提供生成密钥和证书的脚本到/etc/openvpn
# cp –r /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn/
编辑/etc/openvpn/easy-rsa/vars,修改如下:
export KEY_COUNTRY=CN
export KEY_PROVINCE=JS
export KEY_CITY=Soochow
export KEY_ORG="Linyin-Lab"
export KEY_EMAIL="linyin@linyin.org"
切换到bash shell下,建立证书:
# bash
使vars配置生效
bash-3.2# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
清除已经存在的密钥和证书
bash-3.2# ./clean-all
建立CA
bash-3.2# ./build-ca
Generating a 1024 bit RSA private key
.++++++
..................................................................++++++
writing new private key to ca.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your servers hostname) []:CA
Email Address [linyin@linyin.org]:
在/etc/openvpn/easy-rsa/keys目录中生成ca.crt和ca.key.生成的密钥都在/etc/openvpn/easy-rsa/keys目录中.
生成用于服务器的密钥
bash-3.2# ./build-key-server server
Generating a 1024 bit RSA private key
.......................++++++
..++++++
writing new private key to server.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [Soochow]:
Organization Name (eg, company) [Linyin-Lab]:
Organizational Unit Name (eg, section) []:OpenVPN
Common Name (eg, your name or your servers hostname) []:server
Email Address [linyin@linyin.org]:
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:CN
stateOrProvinceName :PRINTABLE:JS
localityName :PRINTABLE:Soochow
organizationName :PRINTABLE:Linyin-Lab
organizationalUnitName:PRINTABLE:OpenVPN
commonName :PRINTABLE:server
emailAddress :IA5STRING:linyin@linyin.org
Certificate is to be certified until Dec 3 11:10:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y
服务器生成Diffie Hellman parameters,在/etc/openvpn/easy-rsa/keys目录中生成dh1024.pem文件
bash-3.2# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................................+.............................................................................
.............+.......................+..........................+......................................................................++*++*++*
防止 DoS 攻击 和 UDP 端口 flooding,生成一个"HMAC firewall"
bash-3.2# openvpn --genkey --secret easy-rsa/ta.key
配置OpenVPN基于系统用户名验证插件:
在http://sourceforge.net/projects/auth-passwd下载auth-passwd文件
解压缩至OpenVPN源码文件中plugin目录下.
编辑Makefile文件,将其中USE_SHADOW=1修改成USE_SHADOW=0
在auth-passwd源码目录下使用gmake编译,会生成openvpn-auth-passwd.so这个文件,将其复制到/etc/openvpn目录下
建立openvpn用户组:
bash-3.2# groupadd -ov -g 1000 openvpn
注意这里的1000,如果存在,可改用其他数字
建立OpenVPN服务器端配置文件:
bash-3.2# vi /etc/openvpn/server.conf
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
plugin /etc/openvpn/openvpn-auth-passwd.so openvpn
client-to-client
client-cert-not-required
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
测试OpenVPN服务器端:
bash-3.2# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf --cd /etc/openvpn &
如出现:Initialization Sequence Completed 表示服务器启动成功.
配置PF:
将#net.inet.ip.forwarding=1中#注释去掉
bash-3.2# vi /etc/sysctl.conf
添加舒服转发
bash-3.2# vi /etc/pf.conf,注意我的网卡是em0,添加:
ext_if="em0"
int_if="tun0"
internal_net="10.8.0.0/24"
nat on $ext_if from 10.8.0.0/24 to any -> $ext_if
pass quick on lo0 all
配置OpenVPN客户端:
将服务器中/etc/openvpn/easy-rsa/keys/ca.crt,/etc/openvpn/easy-rsa/keys/ta.key保存到本地,建立客户端文件linyin.ovpn,内容如下
client
dev tun0
proto tcp
remote linyin.8800.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
auth-user-pass
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
comp-lzo
verb 3
使用系统用户登录VPN服务器:
bash-3.2# vi /etc/group
openvpn:*:1000:linyin
这样我可以使用系统中的linyin用户远程登录VPN服务器,不需要证书,只需通过密码验证.
如果不想使用VPN做远程网关,可以注释掉server.conf中的push "redirect-gateway def1".
除此之外,大家还可以尝试其他的验证方法:
openvpn-auth-ldap : http://code.google.com/p/openvpn-auth-ldap/
openvpn_bsdauth : OpenBSD ports里/usr/ports/net/openvpn_bsdauth/
其中openvpn-auth-ldap编译安装前需安装gobjc包.
主要全部步骤设置完毕,现在可以正式启用.文章比较粗燥,不能照顾到全部的重点和细节.有问题的朋友可以和我交流. =)
- 上一篇:互联网病毒传播和攻击行为的新趋势
- 下一篇:《圈圈大冒险》免费送QQ币及黄钻
相关文章
图文推荐
- 文章
- 推荐
- 热门新闻