openvpn提供了证书验证和密码验证两种验证方式,这里来具体描述下密码验证的配置方法。
一:修改openVPN服务端配置,在文件末尾添加如下配置:
# vim /opt/apps/openvpn/etc/server.conf auth-user-pass-verify /opt/apps/openvpn/etc/checkpsw.sh via-env client-cert-not-required username-as-common-name
二:下载checkpsw.sh文件,并配置相关权限:
下载地址:http://openvpn.se/files/other/checkpsw.sh
内容如下:(注意指定PASSFILE,LOG_FILE的路径)
# vim /opt/apps/openvpn/etc/checkpsw.sh #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <[email protected]> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/opt/apps/openvpn/etc/psw-file" LOG_FILE="/opt/apps/openvpn/var/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk ‘!/^;/&&!/^#/&&$1=="‘${username}‘"{print $2;exit}‘ ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 # chmod a+x /opt/apps/openvpn/etc/checkpsw.sh
三:创建密码文件,在里面添加账户和密码:
# vim /opt/apps/openvpn/etc/psw-file username password
四:客户端配置密码验证,删除相关证书配置:
auth-user-pass #cert xxx.crt #key xxx.key
五:重启openvpn服务,验证客户端密码登录:
时间: 2024-11-10 07:10:18