OPENVPN mit User-Authentication: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Normale Benutzerverwaltung= ==Server== *useradd testuser *passwd testuser *vi /etc/openvpn/server.conf <pre> dev tun mode server tls-server #proto tcp-server…“) |
|||
Zeile 50: | Zeile 50: | ||
=mit htpasswd= | =mit htpasswd= | ||
+ | ==Server== | ||
+ | ===basic_ncsa_auth aus Squid-Paket extrahieren=== | ||
+ | *apt-get download squid3 | ||
+ | *ar -x squid_3.5.12-1ubuntu7.5_amd64.deb /root/data | ||
+ | *tar -xJfv data.tar.xz | ||
+ | *cp /usr/lib/squid/basic_ncsa_auth /usr/local/bin | ||
+ | |||
+ | ===Authentication-Script erstellen=== | ||
+ | *vi /usr/local/bin/openvpnpw | ||
+ | <pre> | ||
+ | #!/bin/bash | ||
+ | echo $username $password $1 >> /tmp/openvpnpw | ||
+ | ERG=$(echo $username $password | /usr/local/bin/basic_ncsa_auth $1 | tr -d " ") | ||
+ | if [[ "$ERG" = "OK" ]] | ||
+ | then | ||
+ | exit 0 | ||
+ | else | ||
+ | exit 1 | ||
+ | fi | ||
+ | </pre> | ||
+ | |||
+ | ===htpasswd-Datei erstellen=== | ||
+ | *htpasswd -c /etc/openvpn/passwd testuser (ohne "-c" um einfach einen neuen User hinzu zu fügen) | ||
+ | |||
+ | ===Openvpn konfigurieren=== | ||
+ | *vi /etc/openvpn/server.conf | ||
+ | <pre> | ||
+ | dev tun | ||
+ | mode server | ||
+ | tls-server | ||
+ | #proto tcp-server | ||
+ | port 5000 | ||
+ | topology subnet | ||
+ | server 172.31.2.0 255.255.255.0 | ||
+ | route-gateway 172.31.2.1 | ||
+ | push 'route-gateway 172.31.2.1' | ||
+ | cipher AES-256-CBC | ||
+ | #auth SHA1 | ||
+ | link-mtu 1558 | ||
+ | status /tmp/cool-vpn.status | ||
+ | keepalive 10 30 | ||
+ | client-to-client | ||
+ | max-clients 150 | ||
+ | verb 3 | ||
+ | dh /etc/openvpn/dh1024.pem | ||
+ | ca /etc/openvpn/openvpn-ca.crt | ||
+ | cert /etc/openvpn/openvpn-linux.crt | ||
+ | key /etc/openvpn/openvpn-linux.key | ||
+ | comp-lzo | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | duplicate-cn | ||
+ | script-security 3 | ||
+ | auth-user-pass-verify "/usr/local/bin/openvpnpw /etc/openvpn/passwd" via-env | ||
+ | </pre> | ||
+ | |||
+ | ==Client== | ||
+ | *C:\\Program Files\OpenVpn\config\config.ovpn | ||
+ | port 5000 #udp by default | ||
+ | dev tun0 | ||
+ | remote 192.168.240.42 | ||
+ | tls-client | ||
+ | ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt | ||
+ | cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt | ||
+ | key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key | ||
+ | #tun-mtu 1500 | ||
+ | #tun-mtu-extra 32 | ||
+ | mssfix 1450 | ||
+ | pull | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | auth-user-pass |
Aktuelle Version vom 14. März 2018, 10:03 Uhr
Normale Benutzerverwaltung
Server
- useradd testuser
- passwd testuser
- vi /etc/openvpn/server.conf
dev tun mode server tls-server #proto tcp-server port 5000 topology subnet server 172.31.2.0 255.255.255.0 route-gateway 172.31.2.1 push 'route-gateway 172.31.2.1' cipher AES-256-CBC link-mtu 1558 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh1024.pem ca /etc/openvpn/openvpn-ca.crt cert /etc/openvpn/openvpn-linux.crt key /etc/openvpn/openvpn-linux.key comp-lzo persist-key persist-tun duplicate-cn plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login <--- Diese Zeile aktiviert die User-Authentication
Client
- C:\\Program Files\OpenVpn\config\config.ovpn
port 5000 #udp by default dev tun0 remote 192.168.240.42 tls-client ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key #tun-mtu 1500 #tun-mtu-extra 32 mssfix 1450 pull comp-lzo verb 3 auth-user-pass <--- Diese Zeile aktiviert die User-Authentication
mit htpasswd
Server
basic_ncsa_auth aus Squid-Paket extrahieren
- apt-get download squid3
- ar -x squid_3.5.12-1ubuntu7.5_amd64.deb /root/data
- tar -xJfv data.tar.xz
- cp /usr/lib/squid/basic_ncsa_auth /usr/local/bin
Authentication-Script erstellen
- vi /usr/local/bin/openvpnpw
#!/bin/bash echo $username $password $1 >> /tmp/openvpnpw ERG=$(echo $username $password | /usr/local/bin/basic_ncsa_auth $1 | tr -d " ") if [[ "$ERG" = "OK" ]] then exit 0 else exit 1 fi
htpasswd-Datei erstellen
- htpasswd -c /etc/openvpn/passwd testuser (ohne "-c" um einfach einen neuen User hinzu zu fügen)
Openvpn konfigurieren
- vi /etc/openvpn/server.conf
dev tun mode server tls-server #proto tcp-server port 5000 topology subnet server 172.31.2.0 255.255.255.0 route-gateway 172.31.2.1 push 'route-gateway 172.31.2.1' cipher AES-256-CBC #auth SHA1 link-mtu 1558 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh1024.pem ca /etc/openvpn/openvpn-ca.crt cert /etc/openvpn/openvpn-linux.crt key /etc/openvpn/openvpn-linux.key comp-lzo persist-key persist-tun duplicate-cn script-security 3 auth-user-pass-verify "/usr/local/bin/openvpnpw /etc/openvpn/passwd" via-env
Client
- C:\\Program Files\OpenVpn\config\config.ovpn
port 5000 #udp by default dev tun0 remote 192.168.240.42 tls-client ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key #tun-mtu 1500 #tun-mtu-extra 32 mssfix 1450 pull comp-lzo verb 3 auth-user-pass