Lietotāja rīki

Vietnes rīki


linux:openvpn-instalacija

OpenVPN servera instalācija

Šajā rakstā aprakstīts OpenVPN servera instalēšanas process uz Linux. VPN lietotāju datu glabāšana notiek MySQL datu bāzē.

Testēts: Ubuntu 12.04 LTS.

MySQL datu bāze

1. Instalējam MySQL serveri. Izveidojam datubāzi "openvpn", atbilstošu lietotāju, un piešķiram tiesības.

2. Izveidojam datu bāzes tabulas un aizpildam ar datiem.

user tabula

CREATE TABLE IF NOT EXISTS `user` (
    `user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
    `user_pass` varchar(32) COLLATE utf8_unicode_ci NOT NULL DEFAULT '1234',
    `user_mail` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
    `user_phone` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
    `user_online` tinyint(1) NOT NULL DEFAULT '0',
    `user_enable` tinyint(1) NOT NULL DEFAULT '1',
    `user_start_date` date NOT NULL,
    `user_end_date` date NOT NULL,
PRIMARY KEY (`user_id`),
KEY `user_pass` (`user_pass`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

log tabula

CREATE TABLE IF NOT EXISTS `log` (
    `log_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
    `user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
    `log_trusted_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_trusted_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_remote_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_remote_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
    `log_start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
    `log_end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
    `log_received` float NOT NULL DEFAULT '0',
    `log_send` float NOT NULL DEFAULT '0',
PRIMARY KEY (`log_id`),
KEY `user_id` (`user_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

user dati

INSERT INTO `user` (
    `user_id`, `user_pass`, `user_mail`, `user_phone`,
    `user_online`, `user_enable`, `user_start_date`, `user_end_date`
)
VALUES (
    'test', '1234', 'mr.tumcpe@gmail.com',
    '+66815447514', 0, 1, '2012-01-01', '0000-00-00'
);

OpenVPN instalēšana un sertifikāta izveide

1. Instalējam OpenVPN

apt-get install openvpn

2. Izveidojam sertifikātu ģenerātora kopiju no OpenVPN dokumentācijas kataloga

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/.
cd /etc/openvpn/easy-rsa/2.0/

3. Labojam mainīgos sertifikāta vajadzībām

vi vars

Atrodam un labojam sekojošās rindiņas.

export KEY_COUNTRY="TH"
export KEY_PROVINCE="BKK"
export KEY_CITY="Bangkok"
export KEY_ORG="Chtunnel-VPN"
export KEY_EMAIL="support@chtunnel.com"

4. Saglabājam, aizveram redaktoru. Palaižam mainīgo scriptu un veco pārpalikumu tīrīšanas skriptu.

source ./vars
./clean-all
**************************************************************
  No /etc/openvpn/easy-rsa/2.0/openssl.cnf file could be found
  Further invocations will fail
**************************************************************

5. Izveidojam publiskos un privātos sertifikātus. Laižam skriptus pēc kārtas vienkārši atbildot ar ENTER vai YES. servername - veidojam sertifikātu serverim. clientname - veidojam sertifikātu klientam. servername un clientname ir vienkārši nosaukumi, kurus vēlāk vajadzēs izmantot atbilstošos konfigurācijas failos.

./build-ca
./build-key-server servername
./build-key clientname
./build-dh
mv keys /etc/openvpn/.

Konfigurējam lietotāju autorizāciju ar MySQL palīdzību

1. Izveidojam katalogu skriptiem '/etc/openvpn/script'

mkdir /etc/openvpn/script
cd /etc/openvpn/script

2. Izveidojam config.sh failu '/etc/openvpn/script/config.sh'

#!/bin/bash

##Dababase Server
HOST='localhost'

#Default port = 3306
PORT='3306'

#Username
USER='USERNAME'

#Password
PASS='PASSWORD'

#database name
DB='openvpn'

3. Izveidojam failu test_connect_db.sh pieslēguma testēšanai '/etc/openvpn/script/test_connect_db.sh'

#!/bin/bash

. /etc/openvpn/script/config.sh

##Test Authentication
username=$1
password=$2
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select user_id from user where user_id = '$username' AND user_pass = '$password' AND user_enable=1 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")

##Check user
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1

4. Izveidojam skriptu login.sh '/etc/openvpn/script/login.sh'

#!/bin/bash

. /etc/openvpn/script/config.sh

##Authentication
user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select user_id from user where user_id = '$username' AND user_pass = '$password' AND user_enable=1 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")

##Check user
[ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1

5. izveidojam skriptu connect.sh '/etc/openvpn/script/connect.sh'

#!/bin/bash

. /etc/openvpn/script/config.sh

##insert data connection to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id,user_id,log_trusted_ip,log_trusted_port,log_remote_ip,log_remote_port,log_start_time,log_end_time,log_received,log_send) VALUES(NULL,'$common_name','$trusted_ip','$trusted_port','$ifconfig_pool_remote_ip','$remote_port_1',now(),'0000-00-00 00:00:00','$bytes_received','$bytes_sent')"

##set status online to user connected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=1 WHERE user_id='$common_name'"

6. Izveidojam skriptu disconnect.sh '/etc/openvpn/script/disconnect.sh'

#!/bin/bash

. /etc/openvpn/script/config.sh

##set status offline to user disconnected
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'"

##insert data disconnected to table log
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(),log_received='$bytes_received',log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"

7. Veidojam OpenVPN konfigurācijas failus. OpenVPN serveris skanē .conf failus '/etc/openvpn' kad startējas. Katrai konfigurācijai tiek veidots atsevišķs process.

Veidojam failu server.conf ar pieslēgšanās portu 443 '/etc/openvpn/server.conf'

##protocol port
port 443
proto tcp
dev tun
 
##ip server client
server 10.4.0.0 255.255.255.0
 
##key
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
 
##option
persist-key
persist-tun
keepalive 5 60
reneg-sec 432000
 
##option authen.
comp-lzo
user nobody
#group nogroup
client-to-client
username-as-common-name
client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
 
##push to client
max-clients 50
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
#push "explicit-exit-notify 1"
 
##DNS-Server
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
 
##script connect-disconnect
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh
 
##log-status
status /var/log/openvpn/server.log
log-append /var/log/openvpn/openvpn.log
verb 3

8. Veidojam katalogu žurnālfailiem '/var/log/openvpn' un nomainām tiesības

mkdir /var/log/openvpn
touch /var/log/openvpn/openvpn.log
touch /var/log/openvpn/server.log
chmod -R 755 /etc/openvpn
chmod -R 755 /var/log/openvpn

9. Notestējam iespēju pieslēgties no skripta pie datu bāzes ar lietotāja vārdu test un paroli 1234

/etc/openvpn/script/test_connect_db.sh test 1234
# user : test
# authentication ok.

Ja autorizācija ir neveiksmīga - failed - pārbaudām lietotāja vārdus un paroles datubāzē vai konfigurācijas failā /etc/openvpn/script/config.sh.

10. Startējam OpenVPN servisu.

/etc/init.d/openvpn start

Internets klientiem

1. Labojam '/etc/sysctl.conf'. Atrodam rindiņu:

#net.ipv4.ip_forward=1

Nomainam uz:

net.ipv4.ip_forward=1

2. Labojam '/etc/rc.local'. Pirms exit 0 pievienojam sekojošas rindiņas:

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

3. iptables veicam lokālās adreses pārveidi uz publisko

iptables -t nat -A POSTROUTING -s 10.4.0.0/24 -o eth0 -j MASQUERADE

OpenVPN Windows klienta puses konfigurēšana

Testēts: Windows XP; Windows 7.

1. Lejupielādējam OpenVPN klientu [http://openvpn.se/download.html] un instalējam.

2. Ja instalēšanas katalogs netika mainīts, tad katalogā C:\Program Files (x86)\OpenVPN\config iekopējam serverī izveidoto sertifikātu failus: ca.crt, client.crt, client.key.

3. Veidojam pieslēguma konfigurācijas failu client.ovpn. Paplašinājumam jābūt ovpn.

client
dev tun
 
proto tcp
remote hostname_or_hostIP 443
 
nobind
auth-user-pass
reneg-sec 432000
resolv-retry infinite
 
ca ca.crt
comp-lzo
verb 1

4. Pārbaudām iespēju pieslēgties.

Papildinformācija

linux/openvpn-instalacija.txt · Labota: 10.10.2013 13:55 , labojis Imants