|
ubuntu openvpn安装配置-user/password方式V1.1,使用pam_mysql方式验证用户密码,openvpn pam mysql
1.环境
ubuntu 9.10 amd64
openvpn 2.1
eth0 192.168.1.195(这个是openvpn server的地址,请更换为自己的公网ip)
vpn网络 192.168.10.0/24(这个是openvpn连接后的虚拟私用ip网段,这个网段不能与物理网段相同)
2.启用ip转发
vi /etc/sysctl.conf net.ipv4.ip_forward = 1
3.防火墙的设置 iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADEiptables -A INPUT -i tun0 -j ACCEPTiptables -A FORWARD -i tun0 -j ACCEPTiptables -A FORWARD -o tun0 -j ACCEPT
4.安装openvpn libpam_mysql并生成证书
apt-get install openvpn libpam-mysql
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
source ./vars
./clean-all
./build-ca
./build-key-server server #出现…Sign the certificate… 按 y
./build-dh
openvpn –genkey –secret ta.key
cp ta.key keys
生成文件都在keys目录下
5.添加openvpn的pam文件
vi /etc/pam.d/openvpn auth sufficient pam_mysql.so user=openvpn passwd=openvpn \host=127.0.0.1 port=3306 db=vpn table=vpnuser usercolumn=name \passwdcolumn=password sqllog=0 crypt=2account required pam_mysql.so user=openvpn passwd=openvpn \host=127.0.0.1 port=3306 db=vpn table=vpnuser usercolumn=name \passwdcolumn=password sqllog=0 crypt=2
说明:openvpn-auth-pam认证只能使用host=localhost或host=127.0.0.1
6.安装mysql-proxy
由于本机没有安装Mysql-server,也不能通过ip连接到无端的数据库,所以安装一个mysql-proxy来支持openvpn-auth-pam验证
apt-get install mysql-proxy
启动
/usr/sbin/mysql-proxy –proxy-address=0.0.0.0:3306 –proxy-backend-addresses=192.168.1.12:3306 –proxy-lua-script=/usr/share/mysql-proxy/rw-splitting.lua >/var/log/mysql-proxy.log &
7.配置数据库
以管理员身份登录数据库:
create database vpn;
GRANT ALL ON vpn.* TO openvpn@% IDENTIFIED BY ‘openvpn’;
flush privileges;
use vpn;
CREATE TABLE vpnuser (name char(20) NOT NULL,password char(128) default NULL,active int(10) NOT NULL DEFAULT 1,PRIMARY KEY (name));
insert into vpnuser (name,password) values(‘gaojinbo.com’,password(‘gaojinbo.com’));
说明:
创建openvpn用户,对vpn这个database有所有操作权限,密码为openvpn
active不为1,无权使用VPN
增加用户 用户名:gaojinbo.com 密码:gaojinbo.com
8.修改openvpn服务配置文件
vi /etc/openvpn/server.conf port 1194proto udpdev tunca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.keydh /etc/openvpn/dh1024.pemserver 10.0.0.0 255.255.255.0ifconfig-pool-persist ipp.txt;push "redirect-gateway"push "route 192.168.1.0 255.255.255.0"push "route 192.168.1.9 255.255.255.255 net_gateway"push "dhcp-option DNS 202.96.128.166">keepalive 10 120tls-auth /etc/openvpn/ta.key 0 comp-lzo user nobodygroup nogrouppersist-keypersist-tun status /var/www/openvpn-status.loglog-append /var/log/openvpn.log plugin ./openvpn-auth-pam.so openvpn client-cert-not-requiredusername-as-common-nameclient-to-clientduplicate-cnauth-nocacheverb 3
到此服务器端配置完成!
9.openvpn客户端安装
windows下的openvpn客户端,到 http://openvpn.se/去下载,安装后在其安装目录的conf目录把服务器生
成的ca.crt、ta.key拷过来,之后建立client.ovpn文件 clientdev tunproto udp remote 192.168.1.195 1194resolv-retry infinite nobindpersist-keypersist-tun ca ca.crtauth-user-passns-cert-type server tls-auth ta.key 1comp-lzo verb 3
10.测试
在windows下通过openvpn gui建立到服务器的连接,登录的时候输入用户名密码gaojinbo.com
完成! |
|