OpenVPN 安装
OpenVPN Server安装可以参照《OpenVPN Server搭建及使用LDAP做登录认证》中的安装过程。
Mysql安装
安装
1
2
3
4
|
yum install mariadb-server
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation
|
1
2
3
4
5
6
7
8
|
MariaDB [openvpn]> select version();
+----------------+
| version() |
+----------------+
| 5.5.68-MariaDB |
+----------------+
1 row in set (0.00 sec)
|
创建数据库
1
|
CREATE DATABASE IF NOT EXISTS openvpn DEFAULT CHARSET utf8;
|
创建表
1
|
create table vpnuser(username varchar(16)not null,password char(41)not null,email varchar(50)null,active tinyint not null default 1,created_at TIMESTAMP NULL,updated_at TIMESTAMP NULL ON UPDATE CURRENT_TIMESTAMP,remark text,primary key(username));
|
1
2
3
4
5
6
7
8
9
10
11
|
+------------+-------------+------+-----+---------+-----------------------------+
| Field | Type | Null | Key | Default | Extra |
+------------+-------------+------+-----+---------+-----------------------------+
| username | varchar(16) | NO | PRI | NULL | |
| password | char(41) | NO | | NULL | |
| email | varchar(50) | YES | | NULL | |
| active | tinyint(4) | NO | | 1 | |
| created_at | timestamp | YES | | NULL | |
| updated_at | timestamp | YES | | NULL | on update CURRENT_TIMESTAMP |
| remark | text | YES | | NULL | |
+------------+-------------+------+-----+---------+-----------------------------+
|
授权账号
1
|
grant all on openvpn.* to openvpn@'localhost' identified by 'password';
|
插入一个测试vpn账号
1
|
insert into vpnuser (username,password,created_at) values ('xnile',password('123456'),CURRENT_TIMESTAMP);
|
配置OpenVPN使用Mysql认证
安装pam_mysql包
1
|
rpm -ivh http://repo.iotti.biz/CentOS/7/x86_64/pam_mysql-0.8.1-0.22.el7.lux.x86_64.rpm
|
这里需要注意下:
pam_mysql不能直接用yum install pam_mysql安装,系统自带的版本是0.7的,使用这个版本的话会导致后边OpenVPN连接的时候认证不成功,/var/log/secure日志中会一直报下边错误
1
2
3
4
5
|
openvpn: PAM unable to dlopen(/usr/lib64/security/pam_mysql.so): /usr/lib64/security/pam_mysql.so: undefined symbol: pam_set_data
openvpn: PAM adding faulty module: /usr/lib64/security/pam_mysql.so
openvpn: PAM unable to dlopen(/usr/lib64/security/pam_mysql.so): /usr/lib64/security/pam_mysql.so: undefined symbol: pam_set_data
openvpn: PAM adding faulty module: /usr/lib64/security/pam_mysql.so
openvpn: PAM unable to dlopen(/usr/lib64/security/pam_mysql.so): /usr/lib64/security/pam_mysql.so: undefined symbol: pam_set_data
|
准备pam认证文件
1
2
3
4
|
cat > /etc/pam.d/openvpn_mysql << EOF
auth sufficient pam_mysql.so user=openvpn passwd=密码 host=localhost db=openvpn table=vpnuser usercolumn=username passwdcolumn=password [where=vpnuser.active=1] sqllog=0 crypt=2
account required pam_mysql.so user=openvpn passwd=密码 host=localhost db=openvpn table=vpnuser usercolumn=username passwdcolumn=password [where=vpnuser.active=1] sqllog=0 crypt=2
EOF
|
安装 cyrus-sasl工具验证pam认证
1
2
3
|
yum install cyrus-sasl
systemctl start saslauthd
testsaslauthd -u xnile -p 123456 -s openvpn_mysql
|
返回 0: OK "Success."则说明认证成功。
准备OpenVPN配置文件使用mysql认证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
local 0.0.0.0
port 1194
proto udp
dev tun
user openvpn
group openvpn
ca ca.crt
cert server.crt
key server.key
dh dh.pem
#客户端地址池
server 10.255.255.0 255.255.255.0
#路由
push "route 192.168.1.0 255.255.255.255"
ifconfig-pool-persist ipp.txt 1
#心跳检测,10秒检测一次,2分钟内没有回应则视为断线
keepalive 10 120
#服务端值为0,客户端为1
tls-auth ta.key 0
cipher AES-256-CBC
#传输数据压缩
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
verify-client-cert none
log "openvpn.log"
#使用Mysql认证
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn_mysql"
|
参考
https://github.com/NigelCunningham/pam-MySQL/issues/27
https://wiki.eryajf.net/pages/3809.html