OPENVPN mit User-Authentication: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Normale Benutzerverwaltung= ==Server== *useradd testuser *passwd testuser *vi /etc/openvpn/server.conf <pre> dev tun mode server tls-server #proto tcp-server…“) |
|||
| Zeile 50: | Zeile 50: | ||
=mit htpasswd= | =mit htpasswd= | ||
| + | ==Server== | ||
| + | ===basic_ncsa_auth aus Squid-Paket extrahieren=== | ||
| + | *apt-get download squid3 | ||
| + | *ar -x squid_3.5.12-1ubuntu7.5_amd64.deb /root/data | ||
| + | *tar -xJfv data.tar.xz | ||
| + | *cp /usr/lib/squid/basic_ncsa_auth /usr/local/bin | ||
| + | |||
| + | ===Authentication-Script erstellen=== | ||
| + | *vi /usr/local/bin/openvpnpw | ||
| + | <pre> | ||
| + | #!/bin/bash | ||
| + | echo $username $password $1 >> /tmp/openvpnpw | ||
| + | ERG=$(echo $username $password | /usr/local/bin/basic_ncsa_auth $1 | tr -d " ") | ||
| + | if [[ "$ERG" = "OK" ]] | ||
| + | then | ||
| + | exit 0 | ||
| + | else | ||
| + | exit 1 | ||
| + | fi | ||
| + | </pre> | ||
| + | |||
| + | ===htpasswd-Datei erstellen=== | ||
| + | *htpasswd -c /etc/openvpn/passwd testuser (ohne "-c" um einfach einen neuen User hinzu zu fügen) | ||
| + | |||
| + | ===Openvpn konfigurieren=== | ||
| + | *vi /etc/openvpn/server.conf | ||
| + | <pre> | ||
| + | dev tun | ||
| + | mode server | ||
| + | tls-server | ||
| + | #proto tcp-server | ||
| + | port 5000 | ||
| + | topology subnet | ||
| + | server 172.31.2.0 255.255.255.0 | ||
| + | route-gateway 172.31.2.1 | ||
| + | push 'route-gateway 172.31.2.1' | ||
| + | cipher AES-256-CBC | ||
| + | #auth SHA1 | ||
| + | link-mtu 1558 | ||
| + | status /tmp/cool-vpn.status | ||
| + | keepalive 10 30 | ||
| + | client-to-client | ||
| + | max-clients 150 | ||
| + | verb 3 | ||
| + | dh /etc/openvpn/dh1024.pem | ||
| + | ca /etc/openvpn/openvpn-ca.crt | ||
| + | cert /etc/openvpn/openvpn-linux.crt | ||
| + | key /etc/openvpn/openvpn-linux.key | ||
| + | comp-lzo | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | duplicate-cn | ||
| + | script-security 3 | ||
| + | auth-user-pass-verify "/usr/local/bin/openvpnpw /etc/openvpn/passwd" via-env | ||
| + | </pre> | ||
| + | |||
| + | ==Client== | ||
| + | *C:\\Program Files\OpenVpn\config\config.ovpn | ||
| + | port 5000 #udp by default | ||
| + | dev tun0 | ||
| + | remote 192.168.240.42 | ||
| + | tls-client | ||
| + | ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt | ||
| + | cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt | ||
| + | key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key | ||
| + | #tun-mtu 1500 | ||
| + | #tun-mtu-extra 32 | ||
| + | mssfix 1450 | ||
| + | pull | ||
| + | comp-lzo | ||
| + | verb 3 | ||
| + | auth-user-pass | ||
Aktuelle Version vom 14. März 2018, 10:03 Uhr
Normale Benutzerverwaltung
Server
- useradd testuser
- passwd testuser
- vi /etc/openvpn/server.conf
dev tun mode server tls-server #proto tcp-server port 5000 topology subnet server 172.31.2.0 255.255.255.0 route-gateway 172.31.2.1 push 'route-gateway 172.31.2.1' cipher AES-256-CBC link-mtu 1558 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh1024.pem ca /etc/openvpn/openvpn-ca.crt cert /etc/openvpn/openvpn-linux.crt key /etc/openvpn/openvpn-linux.key comp-lzo persist-key persist-tun duplicate-cn plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login <--- Diese Zeile aktiviert die User-Authentication
Client
- C:\\Program Files\OpenVpn\config\config.ovpn
port 5000 #udp by default dev tun0 remote 192.168.240.42 tls-client ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key #tun-mtu 1500 #tun-mtu-extra 32 mssfix 1450 pull comp-lzo verb 3 auth-user-pass <--- Diese Zeile aktiviert die User-Authentication
mit htpasswd
Server
basic_ncsa_auth aus Squid-Paket extrahieren
- apt-get download squid3
- ar -x squid_3.5.12-1ubuntu7.5_amd64.deb /root/data
- tar -xJfv data.tar.xz
- cp /usr/lib/squid/basic_ncsa_auth /usr/local/bin
Authentication-Script erstellen
- vi /usr/local/bin/openvpnpw
#!/bin/bash echo $username $password $1 >> /tmp/openvpnpw ERG=$(echo $username $password | /usr/local/bin/basic_ncsa_auth $1 | tr -d " ") if [[ "$ERG" = "OK" ]] then exit 0 else exit 1 fi
htpasswd-Datei erstellen
- htpasswd -c /etc/openvpn/passwd testuser (ohne "-c" um einfach einen neuen User hinzu zu fügen)
Openvpn konfigurieren
- vi /etc/openvpn/server.conf
dev tun mode server tls-server #proto tcp-server port 5000 topology subnet server 172.31.2.0 255.255.255.0 route-gateway 172.31.2.1 push 'route-gateway 172.31.2.1' cipher AES-256-CBC #auth SHA1 link-mtu 1558 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh1024.pem ca /etc/openvpn/openvpn-ca.crt cert /etc/openvpn/openvpn-linux.crt key /etc/openvpn/openvpn-linux.key comp-lzo persist-key persist-tun duplicate-cn script-security 3 auth-user-pass-verify "/usr/local/bin/openvpnpw /etc/openvpn/passwd" via-env
Client
- C:\\Program Files\OpenVpn\config\config.ovpn
port 5000 #udp by default dev tun0 remote 192.168.240.42 tls-client ca C:\\Program Files\\OpenVpn\\config\\openvpn-ca.crt cert C:\\Program Files\\OpenVpn\\config\\openvpn-windows.crt key C:\\Program Files\\OpenVpn\\config\\openvpn-windows.key #tun-mtu 1500 #tun-mtu-extra 32 mssfix 1450 pull comp-lzo verb 3 auth-user-pass