OpenVPN部署 openvpn实现radius认证

如果在centos下已编译安装过libgcrypt,先去到源码包make uninstall,下面使用的软件对版本要求比较严格,不是安装出错就是安装后不能使用。用到的安装包已经上传到百度网盘http://pan.baidu.com/s/1i3suZOD
1、安装 libgpg-error-1.9

1
2
3
4
$ tar -zxvf libgpg-error-1.9.tar.gz 
$ cd libgpg-error-1.9
$ ./configure
$ make && make install

2、安装libgcrypt-1.4.3

1
2
3
4
$ tar -zxvf libgcrypt-1.4.3.tar.gz
$ cd libgcrypt-1.4.3
$ ./configure
$ make && make install

3、安装radiusplugin_v2.1,并将编译生成的radiusplugin.so、radiusplugin.cnf 拷贝到openvpn安装目录

1
2
3
4
5
$ tar -zxvf radiusplugin_v2.1.tar.gz
$ cd radiusplugin
$ make
$ cp radiusplugin.so /usr/local/openvpn/
$ cp radiusplugin.cnf /usr/local/openvpn/

4、配置radiusplugin.cnf 需要注意的配置项OpenVPNConfig和server的sharedsecret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ cd /usr/local/openvpn/
$ grep -Ev "^#|^$" radiusplugin.cnf
NAS-Identifier=OpenVpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/usr/local/openvpn/etc/server.conf
subnet=255.255.255.0
overwriteccfiles=true
server {
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=127.0.0.1
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=testing123
}

5、OpenVPN服务端配置server.conf 需要注意的配置项tls-auth、client-config-dir、plugin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ grep -Ev "^#|^$" etc/server.conf 
port 1194
proto tcp
dev tun
ca /usr/local/openvpn/keys/ca.crt
cert /usr/local/openvpn/keys/server.crt
key /usr/local/openvpn/keys/server.key
dh /usr/local/openvpn/keys/dh1024.pem
tls-auth /usr/local/openvpn/keys/ta.key 0
client-config-dir /etc/raddb/clients.conf
server 10.0.8.0 255.255.255.0
push "dhcp-option DNS 202.96.209.5"
push "route 10.10.10.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
client-cert-not-required
username-as-common-name
plugin /usr/local/openvpn/radiusplugin.so /usr/local/openvpn/radiusplugin.cnf
log /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 5

其中引用的ta.key文件用来防止遭到DDoS攻击,使用openvpn命令生成。

1
$ ./openvpn --genkey --secret ta.key

6、OpenVPN客户端配置 将服务端的文件ta.key、ca.crt拷贝一份到客户端的C:\Program Files\OpenVPN\config文件夹下
openvpnradius
其中的配置文件client.ovpn如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
client 
dev tun
proto tcp
remote 192.168.5.168 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
ns-cert-type server
comp-lzo
verb 3
route-method exe
route-delay 2
auth-user-pass

重启OpenVPN 服务端后客户端就可以用“用户名/密码”的形式登录VPN了,如果要添加新的用户只需要在radius数据库的radcheck表插入新的记录即可,很是方便快捷。

----------------本文结束 感谢阅读----------------