OpenVPN 实现用户密码登录

1. server.conf中添加下面的设置

auth-user-pass-verify /opt/openvpn/checkpsw.sh via-env #密码验证脚本
script-security 3 
client-cert-not-required #不请求客户的CA证书,使用User/Pass验证,如果同时启用证书和密码认证,注释掉该行

username-as-common-name  #表示客户端认证时候需要用户名

2. 生成密码验证脚本
1)方法一:下载链接:http://openvpn.se/files/other/checkpsw.sh
2)方法二:checkpsw.sh 内容如下,自己创建到 /opt/openvpn/checkpsw.sh

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman 

#

# This script will authenticate OpenVPN users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.



PASSFILE="/opt/openvpn/psw-file"

LOG_FILE="/opt/openvpn/logs/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`



###########################################################



if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

exit 1

fi



CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`



if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

fi



if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

exit 0

fi



echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

3. 创建账户密码文件

touch /opt/openvpn/logs/psw-file
chown nobody:nobody /opt/openvpn/psw-file 

psw-file文件内容是:

username1 pwd1
username2 pwd2

4.重启openvpn

5. 客户端配置添加配置

auth-user-pass

其他注意事项:
1. 没有密码访问日志没有日志
解决方案,权限不对,openvpn是用 nobody:nobody,日志文件使用nobody:nobody

服务器配置文件如下:
server_user_pwd_conf

此条目发表在VPN, 运维分类目录,贴了, 标签。将固定链接加入收藏夹。