User Tools

Site Tools


Sidebar


Tags Cloud
password_authentication

Парольная аутентификация в openvpn

Server Config

local <HOST IP>
port 1194
proto tcp
dev tun
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh1024.pem
server 192.168.78.0 255.255.255.0
ifconfig-pool-persist /usr/local/etc/openvpn/ips
push "redirect-gateway"
auth-user-pass-verify /usr/local/etc/openvpn/auth.pl via-env
client-cert-not-required
username-as-common-name
keepalive 100 120
comp-lzo
client-config-dir /usr/local/etc/openvpn/ccd
max-clients 250
persist-key
persist-tun
status /usr/local/etc/openvpn/openvpn-status.log
verb 3

Скрипт /usr/local/etc/openvpn/auth.pl

#!/usr/bin/perl

use strict;

my $passwdfile = "/usr/local/etc/openvpn/users";
my $isValidUser = 0;
my $username;
my $password;
my $thisUsername = $ENV{'username'};
my $thisPassword = $ENV{'password'};

open (PASSWORDS,"$passwdfile") or die "can't find file: $passwdfile : $!\n";

while (<PASSWORDS>) {
    ($username,$password)= split (/:/, $_);
    chomp $username;
    chomp $password;
    if ($username eq $thisUsername && $password eq $thisPassword) {
        $isValidUser = 1;
        last;
    }
}
close PASSWORDS;

if ($isValidUser == 1) {
    print "ERR\n";
    exit 1;
} else {
    print "OK\n";
    exit 0;
}

Client Config

client
dev tun
proto tcp
remote <HOST IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pull
auth-user-pass
ca ca.crt
comp-lzo
verb 3

Формат файла /usr/local/etc/openvpn/users

login:password

Формат файлов в директории /usr/local/etc/openvpn/ccd

Имя файла должно полностью совпадать с login. Для нормальной работы openvpn-клиента под windows - IP шлюза и серый IP клиента должны быть из одной /30 подсети. Под linux/BSD таких ограничений нет.

ifconfig-push 192.168.78.CIENT_IP 192.168.78.VPN_GATEWAY
password_authentication.txt · Last modified: 2013/12/15 17:02 by kyxap