OPENVPN mit User-Authentication

Aus xinux.net
Zur Navigation springen Zur Suche springen

Normale Benutzerverwaltung

Server

  • useradd testuser
  • passwd testuser
  • vi /etc/openvpn/server.conf
dev tun
mode server
tls-server
#proto tcp-server
port 5000
topology subnet
server 172.31.2.0 255.255.255.0
route-gateway 172.31.2.1
push 'route-gateway 172.31.2.1'
cipher AES-256-CBC
link-mtu 1558
status /tmp/cool-vpn.status
keepalive 10 30
client-to-client
max-clients 150
verb 3
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/openvpn-ca.crt
cert /etc/openvpn/openvpn-linux.crt
key /etc/openvpn/openvpn-linux.key
comp-lzo
persist-key
persist-tun
duplicate-cn
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login <--- Diese Zeile aktiviert die User-Authentication

Client

  • C:\\Program Files\OpenVpn\config\config.ovpn
port 5000 #udp by default
dev tun0
remote 192.168.240.42
tls-client
ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt
cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt
key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key
#tun-mtu 1500
#tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 3
auth-user-pass <--- Diese Zeile aktiviert die User-Authentication

mit htpasswd

Server

basic_ncsa_auth aus Squid-Paket extrahieren

  • apt-get download squid3
  • ar -x squid_3.5.12-1ubuntu7.5_amd64.deb /root/data
  • tar -xJfv data.tar.xz
  • cp /usr/lib/squid/basic_ncsa_auth /usr/local/bin

Authentication-Script erstellen

  • vi /usr/local/bin/openvpnpw
#!/bin/bash
echo $username $password $1  >> /tmp/openvpnpw
ERG=$(echo $username $password | /usr/local/bin/basic_ncsa_auth $1 | tr -d " ")
if [[ "$ERG" = "OK" ]]
then
   exit  0
 else
   exit 1
fi

htpasswd-Datei erstellen

  • htpasswd -c /etc/openvpn/passwd testuser (ohne "-c" um einfach einen neuen User hinzu zu fügen)

Openvpn konfigurieren

  • vi /etc/openvpn/server.conf
dev tun
mode server
tls-server
#proto tcp-server
port 5000
topology subnet
server 172.31.2.0 255.255.255.0
route-gateway 172.31.2.1
push 'route-gateway 172.31.2.1'
cipher AES-256-CBC
#auth SHA1
link-mtu 1558
status /tmp/cool-vpn.status
keepalive 10 30
client-to-client
max-clients 150
verb 3
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/openvpn-ca.crt
cert /etc/openvpn/openvpn-linux.crt
key /etc/openvpn/openvpn-linux.key
comp-lzo
persist-key
persist-tun
duplicate-cn
script-security 3
auth-user-pass-verify "/usr/local/bin/openvpnpw /etc/openvpn/passwd" via-env

Client

  • C:\\Program Files\OpenVpn\config\config.ovpn
port 5000 #udp by default
dev tun0
remote 192.168.240.42
tls-client
ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt
cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt
key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key
#tun-mtu 1500
#tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 3
auth-user-pass
Abgerufen von „https://xinux.net/index.php?title=OPENVPN_mit_User-Authentication&oldid=16755