====== OpenVPN servera instalācija ======
Šajā rakstā aprakstīts OpenVPN servera instalēšanas process uz Linux. VPN lietotāju datu glabāšana notiek MySQL datu bāzē.
Testēts: Ubuntu 12.04 LTS.
====== MySQL datu bāze ======
1. [[linux:mysql-instalesana-un-datu-bazes-izveide|Instalējam MySQL serveri. Izveidojam datubāzi "openvpn", atbilstošu lietotāju, un piešķiram tiesības.]]
2. Izveidojam datu bāzes tabulas un aizpildam ar datiem.
''user'' tabula
CREATE TABLE IF NOT EXISTS `user` (
`user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`user_pass` varchar(32) COLLATE utf8_unicode_ci NOT NULL DEFAULT '1234',
`user_mail` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
`user_phone` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`user_online` tinyint(1) NOT NULL DEFAULT '0',
`user_enable` tinyint(1) NOT NULL DEFAULT '1',
`user_start_date` date NOT NULL,
`user_end_date` date NOT NULL,
PRIMARY KEY (`user_id`),
KEY `user_pass` (`user_pass`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
''log'' tabula
CREATE TABLE IF NOT EXISTS `log` (
`log_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`log_trusted_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_trusted_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_remote_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_remote_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`log_end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
`log_received` float NOT NULL DEFAULT '0',
`log_send` float NOT NULL DEFAULT '0',
PRIMARY KEY (`log_id`),
KEY `user_id` (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
''user'' dati
INSERT INTO `user` (
`user_id`, `user_pass`, `user_mail`, `user_phone`,
`user_online`, `user_enable`, `user_start_date`, `user_end_date`
)
VALUES (
'test', '1234', 'mr.tumcpe@gmail.com',
'+66815447514', 0, 1, '2012-01-01', '0000-00-00'
);
====== OpenVPN instalēšana un sertifikāta izveide ======
1. Instalējam OpenVPN
apt-get install openvpn
2. Izveidojam sertifikātu ģenerātora kopiju no OpenVPN dokumentācijas kataloga
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/.
cd /etc/openvpn/easy-rsa/2.0/
3. Labojam mainīgos sertifikāta vajadzībām
vi vars
Atrodam un labojam sekojošās rindiņas.
export KEY_COUNTRY="TH"
export KEY_PROVINCE="BKK"
export KEY_CITY="Bangkok"
export KEY_ORG="Chtunnel-VPN"
export KEY_EMAIL="support@chtunnel.com"
4. Saglabājam, aizveram redaktoru. Palaižam mainīgo scriptu un veco pārpalikumu tīrīšanas skriptu.
source ./vars
./clean-all
**************************************************************
No /etc/openvpn/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
**************************************************************
5. Izveidojam publiskos un privātos sertifikātus. Laižam skriptus pēc kārtas vienkārši atbildot ar ENTER vai YES. ''servername'' - veidojam sertifikātu serverim. ''clientname'' - veidojam sertifikātu klientam. ''servername'' un ''clientname'' ir vienkārši nosaukumi, kurus vēlāk vajadzēs izmantot atbilstošos konfigurācijas failos.
./build-ca
./build-key-server servername
./build-key clientname
./build-dh
mv keys /etc/openvpn/.
====== Konfigurējam lietotāju autorizāciju ar MySQL palīdzību ======
1. Izveidojam katalogu skriptiem '/etc/openvpn/script'
mkdir /etc/openvpn/script
cd /etc/openvpn/script
2. Izveidojam config.sh failu '/etc/openvpn/script/config.sh'
#!/bin/bash
##Dababase Server
HOST='localhost'
#Default port = 3306
PORT='3306'
#Username
USER='USERNAME'
#Password
PASS='PASSWORD'
#database name
DB='openvpn'
3. Izveidojam failu test_connect_db.sh pieslēguma testēšanai '/etc/openvpn/script/test_connect_db.sh'
#!/bin/bash
. /etc/openvpn/script/config.sh
##Test Authentication
username=$1
password=$2
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select user_id from user where user_id = '$username' AND user_pass = '$password' AND user_enable=1 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")
##Check user
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
4. Izveidojam skriptu login.sh '/etc/openvpn/script/login.sh'
#!/bin/bash
. /etc/openvpn/script/config.sh
##Authentication
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select user_id from user where user_id = '$username' AND user_pass = '$password' AND user_enable=1 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")
##Check user
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
5. izveidojam skriptu connect.sh '/etc/openvpn/script/connect.sh'
#!/bin/bash
. /etc/openvpn/script/config.sh
##insert data connection to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id,user_id,log_trusted_ip,log_trusted_port,log_remote_ip,log_remote_port,log_start_time,log_end_time,log_received,log_send) VALUES(NULL,'$common_name','$trusted_ip','$trusted_port','$ifconfig_pool_remote_ip','$remote_port_1',now(),'0000-00-00 00:00:00','$bytes_received','$bytes_sent')"
##set status online to user connected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=1 WHERE user_id='$common_name'"
6. Izveidojam skriptu disconnect.sh '/etc/openvpn/script/disconnect.sh'
#!/bin/bash
. /etc/openvpn/script/config.sh
##set status offline to user disconnected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'"
##insert data disconnected to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(),log_received='$bytes_received',log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"
7. Veidojam OpenVPN konfigurācijas failus. OpenVPN serveris skanē .conf failus '/etc/openvpn' kad startējas. Katrai konfigurācijai tiek veidots atsevišķs process.
Veidojam failu server.conf ar pieslēgšanās portu 443 '/etc/openvpn/server.conf'
##protocol port
port 443
proto tcp
dev tun
##ip server client
server 10.4.0.0 255.255.255.0
##key
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
##option
persist-key
persist-tun
keepalive 5 60
reneg-sec 432000
##option authen.
comp-lzo
user nobody
#group nogroup
client-to-client
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
##push to client
max-clients 50
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
#push "explicit-exit-notify 1"
##DNS-Server
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
##script connect-disconnect
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh
##log-status
status /var/log/openvpn/server.log
log-append /var/log/openvpn/openvpn.log
verb 3
8. Veidojam katalogu žurnālfailiem '/var/log/openvpn' un nomainām tiesības
mkdir /var/log/openvpn
touch /var/log/openvpn/openvpn.log
touch /var/log/openvpn/server.log
chmod -R 755 /etc/openvpn
chmod -R 755 /var/log/openvpn
9. Notestējam iespēju pieslēgties no skripta pie datu bāzes ar lietotāja vārdu ''test'' un paroli ''1234''
/etc/openvpn/script/test_connect_db.sh test 1234
# user : test
# authentication ok.
Ja autorizācija ir neveiksmīga - ''failed'' - pārbaudām lietotāja vārdus un paroles datubāzē vai konfigurācijas failā ''/etc/openvpn/script/config.sh''.
10. Startējam OpenVPN servisu.
/etc/init.d/openvpn start
====== Internets klientiem ======
1. Labojam '/etc/sysctl.conf'. Atrodam rindiņu:
#net.ipv4.ip_forward=1
Nomainam uz:
net.ipv4.ip_forward=1
2. Labojam '/etc/rc.local'. Pirms ''exit 0'' pievienojam sekojošas rindiņas:
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
3. ''iptables'' veicam lokālās adreses pārveidi uz publisko
iptables -t nat -A POSTROUTING -s 10.4.0.0/24 -o eth0 -j MASQUERADE
====== OpenVPN Windows klienta puses konfigurēšana ======
Testēts: Windows XP; Windows 7.
1. Lejupielādējam OpenVPN klientu [http://openvpn.se/download.html] un instalējam.
2. Ja instalēšanas katalogs netika mainīts, tad katalogā ''C:\Program Files (x86)\OpenVPN\config'' iekopējam serverī izveidoto sertifikātu failus: ''ca.crt'', ''client.crt'', ''client.key''.
3. Veidojam pieslēguma konfigurācijas failu ''client.ovpn''. Paplašinājumam jābūt ''ovpn''.
client
dev tun
proto tcp
remote hostname_or_hostIP 443
nobind
auth-user-pass
reneg-sec 432000
resolv-retry infinite
ca ca.crt
comp-lzo
verb 1
4. Pārbaudām iespēju pieslēgties.
====== Papildinformācija ======
* [[windows:openvpn-windows-instalacijas-ar-gatavu-konfiguraciju-izveide|OpenVPN Windows instalācijas ar gatavu konfigurāciju izveide]]
{{tag>Ubuntu_12.04 Ubuntu OpenVPN Linux}}