2015年11月4日 星期三

[Openvpn] Authentication method by using script and password file

Posted by   on   in ,   / No comments 
1. Build up openvpn server (ubuntu) & client (windows)

2. Client configuration file settings
Client Part:
client
dev tun
proto udp
remote 111.2.1.50 1194
float
comp-lzo adaptive
keepalive 15 60
# Must use this option to authenticate user name and password
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XXX
-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

3. Two method to set server configuration file

Method 1 :
Server Part:
# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
# plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca    /home/gogo/test/ca.crt
dh    /home/gogo/test/dh.pem
cert  /home/gogo/test/server.crt
key   /home/gogo/test/server.key
status-version 2
status status

;script-security 3 system
# via-env very important
auth-user-pass-verify /home/gogo/test/checkpassword.sh via-env

# Custom Configuration

Start up server by command 
/usr/sbin/openvpn --daemon ovpn-server --cd /home/gogo/test --config config.ovpn --script-security 3

Method 2 :
Server Part:
# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
# plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca    /home/gogo/test/ca.crt
dh    /home/gogo/test/dh.pem
cert  /home/gogo/test/server.crt
key   /home/gogo/test/server.key
status-version 2
status status

script-security 3 system
auth-user-pass-verify /home/gogo/test/checkpassword.sh via-env

# Custom Configuration

Start up server by command 
/usr/sbin/openvpn --daemon ovpn-server --cd /home/gogo/test --config config.ovpn

Reference:
vim checkpassword.sh 
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/home/gogo/test/password-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
chmod +x checkpassword.sh





Create password file
# echo "test1 test1" > password-file
# chmod 400 password-file

0 意見:

張貼留言

訂閱: 張貼留言 (Atom)