10个步骤搭建功能强大的openvpn pam mysql服务器V1.1

六月 1st, 2010 Posted in VPN | 阅读次数: 900 次

Author:gaojinbo
Time:2010-6-1

ubuntu openvpn安装配置-user/password方式V1.1,使用pam_mysql方式验证用户密码,openvpn pam mysql

 

1.环境
ubuntu 9.10    amd64
openvpn 2.1
eth0    192.168.1.195(这个是openvpn server的地址,请更换为自己的公网ip)
vpn网络    192.168.10.0/24(这个是openvpn连接后的虚拟私用ip网段,这个网段不能与物理网段相同)

 

 

2.启用ip转发
vi /etc/sysctl.conf 

net.ipv4.ip_forward = 1

 

 

3.防火墙的设置 

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT

 

 

4.安装openvpn libpam_mysql并生成证书

apt-get install openvpn  libpam-mysql

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

cd /etc/openvpn/easy-rsa/2.0

source ./vars

./clean-all

./build-ca

./build-key-server server  #出现…Sign the certificate… 按 y

./build-dh

openvpn –genkey –secret ta.key

cp ta.key keys

生成文件都在keys目录下

 

 

5.添加openvpn的pam文件

vi /etc/pam.d/openvpn 

auth sufficient  pam_mysql.so  user=openvpn passwd=openvpn \
host=127.0.0.1 port=3306 db=vpn table=vpnuser usercolumn=name \
passwdcolumn=password sqllog=0 crypt=2

account required pam_mysql.so  user=openvpn passwd=openvpn \
host=127.0.0.1 port=3306 db=vpn table=vpnuser usercolumn=name \
passwdcolumn=password sqllog=0 crypt=2

说明:openvpn-auth-pam认证只能使用host=localhost或host=127.0.0.1

 

 

6.安装mysql-proxy

由于本机没有安装Mysql-server,也不能通过ip连接到无端的数据库,所以安装一个mysql-proxy来支持openvpn-auth-pam验证

apt-get install mysql-proxy

启动

/usr/sbin/mysql-proxy  –proxy-address=0.0.0.0:3306 –proxy-backend-addresses=192.168.1.12:3306  –proxy-lua-script=/usr/share/mysql-proxy/rw-splitting.lua >/var/log/mysql-proxy.log &

 

 

7.配置数据库

以管理员身份登录数据库:

create database vpn;

GRANT ALL ON vpn.* TO openvpn@% IDENTIFIED BY ‘openvpn’;

flush privileges;

use vpn;

CREATE TABLE vpnuser (name char(20) NOT NULL,password char(128) default NULL,active int(10) NOT NULL DEFAULT 1,PRIMARY KEY (name));

insert into vpnuser (name,password) values(‘gaojinbo.com’,password(‘gaojinbo.com’));

说明:

创建openvpn用户,对vpn这个database有所有操作权限,密码为openvpn

active不为1,无权使用VPN

增加用户 用户名:gaojinbo.com 密码:gaojinbo.com

 

 

8.修改openvpn服务配置文件

vi /etc/openvpn/server.conf 

port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

;push "redirect-gateway"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.1.9 255.255.255.255 net_gateway"

push "dhcp-option DNS 202.96.128.166">

keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 

comp-lzo 

user nobody
group nogroup

persist-key
persist-tun 

status       /var/www/openvpn-status.log
log-append  /var/log/openvpn.log 

plugin ./openvpn-auth-pam.so openvpn 

client-cert-not-required
username-as-common-name
client-to-client
duplicate-cn

auth-nocache
verb 3

到此服务器端配置完成!

 

 

9.openvpn客户端安装

windows下的openvpn客户端,到 http://openvpn.se/去下载,安装后在其安装目录的conf目录把服务器生

成的ca.crt、ta.key拷过来,之后建立client.ovpn文件 

client
dev tun
proto udp 

remote 192.168.1.195 1194
resolv-retry infinite 

nobind
persist-key
persist-tun 

ca ca.crt
auth-user-pass
ns-cert-type server 

tls-auth ta.key 1
comp-lzo 

verb 3

 

10.测试

在windows下通过openvpn gui建立到服务器的连接,登录的时候输入用户名密码gaojinbo.com

 

完成!

相关日志:

Tags:

This entry was posted on 星期二, 六月 1st, 2010 at 12:58 and is filed under VPN. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “10个步骤搭建功能强大的openvpn pam mysql服务器V1.1”

  1. Resources Says:

    五月 9th, 2011 at 20:07

    Related Websites…

    [...]some other related resources on the web that are worth viewing on this subject include[...]…


  2. Watch Happy Endings – Season 2, Episode 7: The Code War Says:

    十一月 18th, 2011 at 05:27

    Watch Happy Endings – Season 2, Episode 7: The Code War…

    [...]高进波博客 – 零起点一步配置你的linux服务器,linux博客,linux教程,web架构 » Blog Archive » 10个步骤搭建功能强大的openvpn pam mysql服务器V1.1[...]…


留下您的脚印