修改OpenVpn的主配置文件
添加一下内容:
[root@check1 openvpn]# tail -3 server.conf auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 #允许用户自定义的脚本在VPN中使用
如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录!
根据上面路径创建文件
创建验证用户登录脚本
需要根据情况修改的是PASSFILE和LOG_FILE两个变量
vim checkpsw.sh
#!/bin/bash
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVpn users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
创建用户名和密码存放文件 第一列为用户名 第二列为密码
[root@check1 openvpn]# cat psw-file wang 123123 Andy 123321 [root@check1 openvpn]# chown nobody:nobody psw-file [root@check1 openvpn]# chmod 0444 psw-file
创建日志文件
[root@check1 openvpn]# touch /etc/openvpn/openvpn-password.log [root@check1 openvpn]# chmod 0222 openvpn-password.log
重启server端
[root@check1 openvpn]# /etc/init.d/openvpn restart Shutting down openvpn: [ OK ] Starting openvpn: [ OK ]
客户端配置
客户端精简一下配置文件目录
将.ca、.crt、.key三个文件合并到主配置文件中
将主配置文件中的下面三行删除
ca ca.crt cert wang.crt key wang.key
在配置文件中添加<ca> </ca>,<cert> </cert>,<key> </key>等标签
将.ca里的内容复制到<ca> </ca>中
将.crt、.key都复制到相应的标签中
最后在配置文件中添加
auth-user-pass
启动客户端进行连接
登录成功,查看日志
[root@check1 openvpn]# cat /etc/openvpn/openvpn-password.log 2018-10-16 16:51:32: Successful authentication: username="wang".
解决客户端登录时提示:
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
解决办法在客户端配置文件中添加
auth-nocache