OpenVPN部署 openvpn实现radius认证

如果在centos下已编译安装过libgcrypt,先去到源码包make uninstall,下面使用的软件对版本要求比较严格,不是安装出错就是安装后不能使用。用到的安装包已经上传到百度网盘http://pan.baidu.com/s/1i3suZOD
1、安装 libgpg-error-1.9

[root@Zabbix-Server src]# tar -zxvf libgpg-error-1.9.tar.gz
[root@Zabbix-Server src]# cd libgpg-error-1.9
[root@Zabbix-Server libgpg-error-1.9]# ./configure
[root@Zabbix-Server libgpg-error-1.9]# make && make install

2、安装libgcrypt-1.4.3

[root@Zabbix-Server src]# tar -zxvf libgcrypt-1.4.3.tar.gz
[root@Zabbix-Server libgcrypt-1.4.3]# cd libgcrypt-1.4.3
[root@Zabbix-Server libgcrypt-1.4.3]# ./configure
[root@Zabbix-Server libgcrypt-1.4.3]# make && make install

3、安装radiusplugin_v2.1,并将编译生成的radiusplugin.so、radiusplugin.cnf 拷贝到openvpn安装目录

[root@Zabbix-Server src]# tar -zxvf radiusplugin_v2.1.tar.gz
[root@Zabbix-Server libgcrypt-1.4.3]# cd radiusplugin
[root@Zabbix-Server libgcrypt-1.4.3]# make
[root@Zabbix-Server radiusplugin]# cp radiusplugin.so /usr/local/openvpn/
[root@Zabbix-Server radiusplugin]# cp radiusplugin.cnf /usr/local/openvpn/

4、配置radiusplugin.cnf
需要注意的配置项OpenVPNConfig和server的sharedsecret

[root@Zabbix-Server radiusplugin]# cd /usr/local/openvpn/
[root@Zabbix-Server openvpn]# grep -Ev "^#|^$" radiusplugin.cnf
NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/usr/local/openvpn/etc/server.conf
subnet=255.255.255.0
overwriteccfiles=true
server
{
    # The UDP port for radius accounting.
    acctport=1813
    # The UDP port for radius authentication.
    authport=1812
    # The name or ip address of the radius server.
    name=127.0.0.1
    # How many times should the plugin send the if there is no response?
    retry=1
    # How long should the plugin wait for a response?
    wait=1
    # The shared secret.
    sharedsecret=testing123
}

5、OpenVPN服务端配置server.conf
需要注意的配置项tls-auth、client-config-dir、plugin

[root@Zabbix-Server openvpn]# grep -Ev "^#|^$" etc/server.conf
port 1194
proto tcp
dev tun
ca /usr/local/openvpn/keys/ca.crt
cert /usr/local/openvpn/keys/server.crt
key /usr/local/openvpn/keys/server.key
dh /usr/local/openvpn/keys/dh1024.pem
tls-auth /usr/local/openvpn/keys/ta.key 0
client-config-dir /etc/raddb/clients.conf
server 10.0.8.0 255.255.255.0
push "dhcp-option DNS 202.96.209.5"
push "route 10.10.10.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
client-cert-not-required
username-as-common-name
plugin /usr/local/openvpn/radiusplugin.so /usr/local/openvpn/radiusplugin.cnf
log /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 5

其中引用的ta.key文件用来防止遭到DDoS攻击,使用openvpn命令生成。

[root@Zabbix-Server sbin]# ./openvpn --genkey --secret ta.key

6、OpenVPN客户端配置
将服务端的文件ta.key、ca.crt拷贝一份到客户端的C:\Program Files\OpenVPN\config文件夹下
openvpnradius
其中的配置文件client.ovpn如下:

client
dev tun
proto tcp
remote 192.168.5.168 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
ns-cert-type server
comp-lzo
verb 3
route-method exe
route-delay 2
auth-user-pass

重启OpenVPN 服务端后客户端就可以用“用户名/密码”的形式登录VPN了,如果要添加新的用户只需要在radius数据库的radcheck表插入新的记录即可,很是方便快捷。
文章出处:http://www.xiaomastack.com/2014/12/04/openvpnradius/

发表评论:

你的电子邮件地址将不会被公开.

5 × 8 =