CentOS 6.6 x64搭建基于用户密码认证的openvpn

一、部署

部署情况请查看我上一篇文章，我们这里只是针对上一篇文章进行简单的修改

http://www.centoscn.com/image-text/config/2015/0717/5874.html

 

二、修改

 

# vim /etc/openvpn/server.conf

在配置文件最后面添加如下几行数据

script-security 3 system

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

client-cert-not-required

username-as-common-name

 

创建checkpsw.sh脚本：

# cd /etc/openvpn

# vim checkpsw.sh

 

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>

#

# This script will authenticate OpenVPN users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

 

PASSFILE="/etc/openvpn/psw-file"

LOG_FILE="/var/log/openvpn/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

 

###########################################################

 

if [ ! -r "${PASSFILE}" ]; then

  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

  exit 1

fi

 

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

 

if [ "${CORRECT_PASSWORD}" = "" ]; then

  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

  exit 1

fi

 

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

  exit 0

fi

 

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

 

# chmod +x checkpsw.sh

 

创建psw-file文件：

# cd /etc/openvpn

# echo "test1 test1" > psw-file

# chmod 400 psw-file

 

加入开机启动项：

# chkconfig openvpn on

 

重启openvpn服务端：

# service openvpn start

 

客户端以windows为例：

客户端操作步骤：

下载windows客户端：

         http://openvpn.ustc.edu.cn/openvpn-install-2.3.6-I603-x86_64.exe

安装好客户端软件之后，把之前从服务端打包的客户端需要的证书解压到客户端安装目录下的config目录中。

并且创建客户端配置文件：

         client.ovpn

client

dev tun

proto tcp

remote 211.152.x.x 1194

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

;cert client-user-test1.crt

;key client-user-test1.key

comp-lzo

verb 3

auth-user-pass

reneg-sec 360000

 

 

直接输入帐号test1,test1登录就可以了。