安装可查看的openvpn

[复制链接]
ming 发表于 2022-6-9 21:08:42 | 显示全部楼层 |阅读模式
安装可查看的openvpn



引言:
本文利用OpenVPN搭建VPN服务,并利用pam_sqlite3插件实现用户认证;通过openvpn_web进行用户管理与日志系统。


一、安装OpenVPN服务
基础环境:
服务端: CentOS 7.6
客户端:Windows 7
开发环境: python3
数据库: sqlite3


OpenVPN: openvpn-2.4.7 (https://github.com/OpenVPN/openvpn)
easy-rsa:easy-rsa 3.0.6 (https://github.com/OpenVPN/easy-rsa)
OpenVPN GUI: openvpn gui (https://gitee.com/lang13002/openvpn-portable)


1.1 安装openvpn
安装依赖包
  1. yum install lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel

  2. yum -y install gcc gcc-c++ autoconf automake libtool gettext lzo lzo-devel pam-devel

  3. yum -y groupinstall "Development Tools"
复制代码

从github上下载openvpn源代码包并解压
wget
tar -xvf v2.4.7.tar.gz
编译openvpn并安装
cd openvpn-2.4.7
./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd
make && make install
参照sample/sample-config-files/server.conf文件生成配置文件
vim /etc/openvpn/server/server.conf
  1. port 1194

  2. proto tcp-server

  3. ;proto udp

  4. dev tun

  5. topology subnet

复制代码

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0


user nobody
group nobody


server 10.8.0.0 255.255.255.0
;ifconfig-pool-persist ipp.txt
;push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 114.114.114.114"push "route 192.168.133.0 255.255.255.0"push "route-gateway 10.200.227.114";client-to-client


keepalive 10 120
comp-lzo
compress "lz4"persist-key
persist-tun
cipher AES-256-CBC
status /var/log/openvpn-status.loglog /var/log/openvpn.log
verb 3
配置系统服务


cp distro/systemd/openvpn-server@.service /usr/lib/systemd/system/
systemctl enable openvpn
1.2 生成证书


下载easy-rsa3并解压
wget
tar -xvf v3.0.6.tar.gz
根据easy-rsa-3.0.6/easyrsa3/vars.example文件生成全局配置文件vars
cd easy-rsa-3.0.6/easyrsa3/
cp vars.samples vars
修改vars文件,根据需要去掉注释,并修改对应值
  1. set_var EASYRSA_REQ_COUNTRY "CN"

  2. set_var EASYRSA_REQ_PROVINCE "HUBEI"

  3. set_var EASYRSA_REQ_CITY "WUHAN"

  4. set_var EASYRSA_REQ_ORG "ZJ"

  5. set_var EASYRSA_REQ_EMAIL "zj@test.com"

  6. set_var EASYRSA_REQ_OU "ZJ"

  7. set_var EASYRSA_KEY_SIZE 2048
复制代码



set_var EASYRSA_ALGO rsa


生成服务端证书
./easyrsa init-pki # 初始化,生成一系列文件与目录
./easyrsa build-ca # 生成根证书,记住ca密码
./easyrsa build-server-full server nopass
生成服务端证书,nopass参数生成一个无密码的证书
./easyrsa gen-dh
生成Diffie-Hellman
生成客户端证书
./easy-rsa build-client-full client1 nopass
注:可生成client1, client2, client3或对应姓名的客户端证书
整理服务端证书
  1. cp pki/ca.crt /etc/openvpn/server/

  2. cp pki/private/server.key /etc/openvpn/server/

  3. cp pki/issued/server.crt /etc/openvpn/server/

  4. cp pki/dh.pem /etc/openvpn/server/
复制代码


1.3 开启路由转发功能与防火墙


路由转发
vim /etc/sysctl.confnet.ipv4.ip_forward = 1
临时启用
echo 1 > /proc/sys/net/ipv4/ip_forward
防火墙增加通行端口与服务,并作NAT。
firewall-cmd --zone=public --add-service=openvpn
firewall-cmd --zone=public --add-masquerade --permanent
二、添加SQLite认证
下载pam_sqlite3并安装


yum -y install openssl*
yum install sqlite-devel sqlite
cd /opt
git clone https://gitee.com/lang13002/pam_sqlite3.git
cd pam_sqlite3
make && make install
添加pam认证文件
vim /etc/pam.d/openvpn
auth required pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1
account required pam_sqlite3.so db=/etc/openvpn/openvpn.db table=t_user user=username passwd=password active=1 expire=expire crypt=1
创建sqlite3数据库文件,这个与web程序中的有冲突,可以不作。


  1. sqlite3 /etc/openvpn/openvpn.db

  2. sqlite> create table t_user (

  3. username text not null,

  4. password text not null,

  5. active int,

  6. expire text);

  7. sqlite> .quit
复制代码

在服务端配置添加认证插件
  1. verify-client-cert none

  2. username-as-common-name

  3. plugin /usr/local/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
复制代码




三、客户端配置
3.1 下载客户端程序:
https://gitee.com/lang13002/open ... sitory/archive/v1.0下载程序,并安装网卡驱动;


3.2 安装驱动:
运行openvpn-portable/tap-windows.exe


3.3 设置客户端证书
将上面生成的ca.crt, client1.crt, client1.key放到openvpn-portable的data/config下,并修改客户端配置
ca ca.crt
cert client1.crt
key client1.key


remote-cert-tls server
auth-user-pass
auth-nocache
注:当有多个客户端时,有多个文件(ca.crt, client1.crt, client1.key, client.ovpn)需要分发给客户,势必会很麻烦;可以将证书嵌入到客户端配置文件中;
;ca ca.crt
// 将这行注释掉;cert client.crt
// 将这行注释掉;key client.key
// 将这行注释掉 <ca>-----BEGIN CERTIFICATE-----
MIIDGDCCAgCgAwIBAgIJAI9Ld4PlKEiOMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
....
OCeTQvQ4WhyIvVgURV3ITcAKYFKUQ1sPbpjuZg==
-----END CERTIFICATE---
</ca> <cert>-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIRAIZoEQ5PvHDs9xpTLMP3RqMwDQYJKoZIhvcNAQELBQAw
......
nCpzC3l8sVezxk2r
-----END CERTIFICATE-----
</cert> <key>-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDw1iq3HBe1otCU
......
ullaNc6mu3N/wTPZoQhDOKAO
-----END PRIVATE KEY-----</key>


四. 连接VPN
启动openvpn服务
  1. systemctl start openvpn
复制代码



启动openvpn-porable
五、OpenVPN用户管理与日志
5.1 安装依赖
  1. yum install python3

  2. pip3 install peewee tornado
复制代码



5.2 下载openvpn-web


cd /opt
git clone https://gitee.com/lang13002/openvpn_web.git
5.3 创建相应的数据库表


sqlite3 /etc/openvpn/openvpn.dbsqlite> .read /opt/openvpn_web/model/openvpn.sql
5.4 OpenVPN运行脚本写日志


服务端配置添加运行脚本
script-security 2
client-connect /etc/openvpn/server/connect.py
client-disconnect /etc/openvpn/server/disconnect.py
connect.py


#!/usr/bin/pythonimport osimport timeimport sqlite3


username = os.environ['common_name']
trusted_ip = os.environ['trusted_ip']
trusted_port = os.environ['trusted_port']
local = os.environ['ifconfig_local']
remote = os.environ['ifconfig_pool_remote_ip']
timeunix= os.environ['time_unix']


logintime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(time.time()))


conn = sqlite3.connect("/etc/openvpn/openvpn.db")
cursor = conn.cursor()
query = "insert into t_logs(username, timeunix, trusted_ip, trusted_port, local, remote, logintime) values('%s','%s', '%s', '%s', '%s', '%s', '%s')" % (username, timeunix, trusted_ip, trusted_port, local, remote, logintime)
cursor.execute(query)
conn.commit()
conn.close()


5.5 启动服务
python3 myapp.py


5.6 管理界面
http://IP:8000 端口,自己可以根据情况修改端口与账号密码。
默认登陆账号: admin 密码 : 123456

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|小黑屋|RuZhuo ( 鄂ICP备16015978号-8 )

GMT+8, 2024-11-21 18:36 , Processed in 0.025833 second(s), 28 queries .

Powered by RuZhuo

快速回复 返回顶部 返回列表