![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2016-06-14
目錄
- Server Setting
- Client Setting
Server Setting
server.conf
This instructs the auth-pam module (authentication plugin) to look for the pam responses 'login' and 'password'
The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure (1) or success (0) value.
Centos 6 (32bit)
... client-cert-not-required plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn ...
/etc/pam.d/openvpn
auth required pam_userdb.so db=/etc/openvpn/users debug account sufficient pam_userdb.so db=/etc/openvpn/users debug
options
- debug Print debug information.
- dump Dump all the entries in the database to the log. Don't do this by default!
'verb 5' 時的 log
... x.x.x.x:1030 PLUGIN_CALL: POST /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
...5 x.x.x.x:1030 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.sostatus=0 <== 成功
其他 log 方式
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
auth-user-pass-verify /etc/openvpn/vpncheckCN-user.sh via-env
tls-verify "/etc/openvpn/vpncheckCN-cert.sh /etc/openvpn/userlist.txt"
dual authentication
By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication,
requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.
Client Setting
client.ovpn
# 用 "auth-user-pass" 必須要 "pull" / "client" client remote x.x.x.x ca ca.txt auth-user-pass auth.txt pull ...
* 使用 auth-user-pass 時必須用上 pull
auth.txt
username password
* 此檔不支援 Comment "#"
* 相對路徑時, 跟 *.ovpn 同層
Troubleshot
[1]
log
openvpn[68598]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:y
If a tls-auth key is used on the server then every client must also have the key.
tls-auth ta.key 1
[2]
log
openvpn[2411]: x.x.x.x:y Authenticate/Decrypt packet error: cipher final failed
Server 內了較強的加密
cipher AES-128-CBC
Summary
# server.conf # OpenVPN 2.4.8 (openvpn --version) mode server proto tcp-server port 1194 dev tap # Certificates. ca ca.crt cert server.crt key server.key # chmod 400 server.key dh dh1024.pem # openssl dhparam -out dh1024.pem 1024 #keepalive 10 120 #comp-lzo user openvpn group openvpn persist-key persist-tun verify-client-cert none # Username and Password authentication via PAM. # Doc: /usr/share/doc/openvpn-2.4.8/README.auth-pam plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login # mkdir /var/log/openvpn & chown openvpn. /var/log/openvpn log /var/log/openvpn/server.log status /var/log/openvpn/status verb 7
Start & Test
openvpn --config server.conf
openvpn-plugin-auth-pam.so
This module uses a split privilege execution model
(will function even if you drop openvpn daemon privileges)
USAGE
plugin openvpn-auth-pam.so service-type
service-type => ls /etc/pam.d/service-type
i.e.
plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
# answer a "login" query with the username given by the OpenVPN client, and
# answer a "password" query with the password given by the OpenVPN client.
Remark
Run OpenVPN with --verb 7 or higher to get debugging output from this plugin
client remote server.domain.name port 5555 proto tcp-client resolv-retry infinite nobind dev tap persist-tun persist-key verb 3 status-version 2 status status 10 # auth-user-pass [file] <- 當沒有設定 file 時就會 popup 問 login # 使用 auth-user-pass 時, 可以略過 <cert/> 及 <key/> # auth-user-pass 必須配上 pull / client 使用 auth-user-pass login.txt # ca ca.crt cert client.crt key client.key
login.txt
USER PASS
参考
pam_userdb
http://datahunter.org/pam_userdb
