Izvēlne
linux:openvpn-instalacija
Šī ir veca dokumenta versija!
Satura rādītājs
OpenVPN instalācija
Šajā rakstā aprakstīts OpenVPN servera instalēšanas process uz Linux. VPN lietotāju datu glabāšana notiek MySQL datu bāzē.
Testēts: Ubuntu 12.04 LTS.
MySQL datu bāze
1. Instalējam MySQL serveri. Izveidojam datubāzi „openvpn“, atbilstošu lietotāju, un piešķiram tiesības.
2. Izveidojam datu bāzes tabulas un aizpildam ar datiem.
user tabula
CREATE TABLE IF NOT EXISTS `user` (
`user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`user_pass` varchar(32) COLLATE utf8_unicode_ci NOT NULL DEFAULT '1234',
`user_mail` varchar(64) COLLATE utf8_unicode_ci DEFAULT NULL,
`user_phone` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`user_online` tinyint(1) NOT NULL DEFAULT '0',
`user_enable` tinyint(1) NOT NULL DEFAULT '1',
`user_start_date` date NOT NULL,
`user_end_date` date NOT NULL,
PRIMARY KEY (`user_id`),
KEY `user_pass` (`user_pass`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
log tabula
CREATE TABLE IF NOT EXISTS `log` (
`log_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`user_id` varchar(32) COLLATE utf8_unicode_ci NOT NULL,
`log_trusted_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_trusted_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_remote_ip` varchar(32) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_remote_port` varchar(16) COLLATE utf8_unicode_ci DEFAULT NULL,
`log_start_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`log_end_time` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
`log_received` float NOT NULL DEFAULT '0',
`log_send` float NOT NULL DEFAULT '0',
PRIMARY KEY (`log_id`),
KEY `user_id` (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
user dati
INSERT INTO `user` (
`user_id`, `user_pass`, `user_mail`, `user_phone`,
`user_online`, `user_enable`, `user_start_date`, `user_end_date`
)
VALUES (
'test', '1234', 'mr.tumcpe@gmail.com',
'+66815447514', 0, 1, '2012-01-01', '0000-00-00'
);
OpenVPN instalēšana un sertifikāta izveide
1. Instalējam OpenVPN
apt-get install openvpn
2. Izveidojam sertifikātu ģenerātora kopiju no OpenVPN dokumentācijas kataloga
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/. cd /etc/openvpn/easy-rsa/2.0/
3. Labojam mainīgos sertifikāta vajadzībām
vi vars
Atrodam un labojam sekojošās rindiņas.
export KEY_COUNTRY="TH" export KEY_PROVINCE="BKK" export KEY_CITY="Bangkok" export KEY_ORG="Chtunnel-VPN" export KEY_EMAIL="support@chtunnel.com"
4. Saglabājam, aizveram redaktoru. Palaižam mainīgo scriptu un veco pārpalikumu tīrīšanas skriptu.
source ./vars ./clean-all
************************************************************** No /etc/openvpn/easy-rsa/2.0/openssl.cnf file could be found Further invocations will fail **************************************************************
5. Izveidojam publiskos un privātos sertifikātus. Laižam skriptus pēc kārtas vienkārši atbildot ar ENTER vai YES. servername - veidojam sertifikātu serverim. clientname - veidojam sertifikātu klientam. servername un clientname ir vienkārši nosaukumi, kurus vēlāk vajadzēs izmantot atbilstošos konfigurācijas failos.
./build-ca ./build-key-server servername ./build-key clientname ./build-dh mv keys /etc/openvpn/.
Konfigurējam lietotāju autorizāciju ar MySQL palīdzību
1. Izveidojam katalogu skriptiem '/etc/openvpn/script'
mkdir /etc/openvpn/script cd /etc/openvpn/script
2. Izveidojam config.sh failu '/etc/openvpn/script/config.sh'
#!/bin/bash ##Dababase Server HOST='localhost' #Default port = 3306 PORT='3306' #Username USER='USERNAME' #Password PASS='PASSWORD' #database name DB='openvpn'
3. Izveidojam failu test_connect_db.sh pieslēguma testēšanai '/etc/openvpn/script/test_connect_db.sh'
#!/bin/bash . /etc/openvpn/script/config.sh ##Test Authentication username=$1 password=$2 user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select user_id from user where user_id = '$username' AND user_pass = '$password' AND user_enable=1 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')") ##Check user [ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
4. Izveidojam skriptu login.sh '/etc/openvpn/script/login.sh'
#!/bin/bash . /etc/openvpn/script/config.sh ##Authentication user_id=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "select user_id from user where user_id = '$username' AND user_pass = '$password' AND user_enable=1 AND user_start_date != user_end_date AND TO_DAYS(now()) >= TO_DAYS(user_start_date) AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')") ##Check user [ "$user_id" != '' ] && [ "$user_id" = "$username" ] && echo "user : $username" && echo 'authentication ok.' && exit 0 || echo 'authentication failed.'; exit 1
5. izveidojam skriptu connect.sh '/etc/openvpn/script/connect.sh'
#!/bin/bash . /etc/openvpn/script/config.sh ##insert data connection to table log mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id,user_id,log_trusted_ip,log_trusted_port,log_remote_ip,log_remote_port,log_start_time,log_end_time,log_received,log_send) VALUES(NULL,'$common_name','$trusted_ip','$trusted_port','$ifconfig_pool_remote_ip','$remote_port_1',now(),'0000-00-00 00:00:00','$bytes_received','$bytes_sent')" ##set status online to user connected mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=1 WHERE user_id='$common_name'"
6. Izveidojam skriptu disconnect.sh '/etc/openvpn/script/disconnect.sh'
#!/bin/bash . /etc/openvpn/script/config.sh ##set status offline to user disconnected mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'" ##insert data disconnected to table log mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE log SET log_end_time=now(),log_received='$bytes_received',log_send='$bytes_sent' WHERE log_trusted_ip='$trusted_ip' AND log_trusted_port='$trusted_port' AND user_id='$common_name' AND log_end_time='0000-00-00 00:00:00'"
7. Veidojam OpenVPN konfigurācijas failus. OpenVPN serveris skanē .conf failus '/etc/openvpn' kad startējas. Katrai konfigurācijai tiek veidots atsevišķs process.
Veidojam failu server.conf ar pieslēgšanās portu 443 '/etc/openvpn/server.conf'
##protocol port port 443 proto tcp dev tun ##ip server client server 10.4.0.0 255.255.255.0 ##key ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem ##option persist-key persist-tun keepalive 5 60 reneg-sec 432000 ##option authen. comp-lzo user nobody #group nogroup client-to-client username-as-common-name client-cert-not-required auth-user-pass-verify /etc/openvpn/script/login.sh via-env ##push to client max-clients 50 push "persist-key" push "persist-tun" push "redirect-gateway def1" #push "explicit-exit-notify 1" ##DNS-Server push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" ##script connect-disconnect script-security 3 system client-connect /etc/openvpn/script/connect.sh client-disconnect /etc/openvpn/script/disconnect.sh ##log-status status /var/log/openvpn/server.log log-append /var/log/openvpn/openvpn.log verb 3
8. Veidojam katalogu žurnālfailiem '/var/log/openvpn' un nomainām tiesības
mkdir /var/log/openvpn touch /var/log/openvpn/openvpn.log touch /var/log/openvpn/server.log chmod -R 755 /etc/openvpn chmod -R 755 /var/log/openvpn
9. Notestējam iespēju pieslēgties no skripta pie datu bāzes ar lietotāja vārdu test un paroli 1234
/etc/openvpn/script/test_connect_db.sh test 1234 # user : test # authentication ok.
Ja autorizācija ir neveiksmīga - failed - pārbaudām lietotāja vārdus un paroles datubāzē vai konfigurācijas failā /etc/openvpn/script/config.sh.
10. Startējam OpenVPN servisu.
/etc/init.d/openvpn start
linux/openvpn-instalacija.1380801380.txt.gz · Labota: 06.06.2019 09:02 (ārpussistēmas labojums)