openvpn+mysql安装配置
科普:
1、当今流行的4种vpn:pptp l2tp(相比pptp支持隧道验证) ipsec(cisco) sslvpn(openvpn)。
2、openvpn可用于代理http;不同机房间服务器安装连接等。
以下是本人根据搜集的相关文档,重新整理,以备查阅。
======================================================================================
实验环境:
CentOS release 6.3 x64
外网:eth0:172.31.0.13/16
内网:eth1:192.168.11.1/24
下载资源:
mkdir -p /tools/vpn
cd /tools/vpn
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget http://sourceforge.net/projects/pam-mysql/files/latest/download?source=files
wget http://www.openvpn.net/release/openvpn-2.0.9.tar.gz
注:openvpn-2.0.9.tar.gz需翻墙下载
======================================================================================
1、建立时间同步:
/usr/sbin/ntpdate s2f.time.edu.cn
echo "1 1 * * * root /usr/sbin/s2f.time.edu.cn > /dev/null 2>&1" >> /etc/crontab
2、安装mysql 略...
本次编译安装的mysql 5.1.68,注:测试过5.5.19可能和pam_mysql有兼容或系统环境问题,openvpn认证模经常不成功,网上说的打补丁再编译也试了没有解决。
3、配置pam_mysql认证模块
3.1、pam_mysql安装(注:pam认证模块和openvpn是独立的)
yum -y install pam-devel
cd /tools/vpn/
tar zxvf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1
./configure --with-mysql=/usr/local/mysql-5.1.68/ --with-openssl
注:用rpm 装的mysql 用此种方式:"./configure --with-mysql=/usr/ --with-openssl"
ln -s /usr/include/openssl/md5.h /usr/include/md5.h
注:不用md5可以跳过该步骤
make && make install
3.2、创建数据库(创建库、表、添加用户、授权等)
#创建库、用户表、日志表
create database openvpn;
use openvpn;
create table vpnuser (name char(100) NOT NULL,password char(255) default NULL,active int(10) NOT NULL DEFAULT 1,PRIMARY KEY (name));
CREATE TABLE logtable (msg char(254),user char(100),pid char(100),host char(100),rhost char(100),time char(100));
#创建用户
insert into vpnuser (name,password) values (‘aaa‘,password(‘888888‘));
#授权模块用户
GRANT ALL ON openvpn.* TO vpn@‘localhost‘ IDENTIFIED BY ‘123456‘;
exit;
3.3、pam_mysql配置
mkdir -p /usr/lib/security/
cp /lib/security/pam_mysql.so /usr/lib/security/
vi /etc/pam.d/openvpn
#------------------------------------------------------------------------------------------
auth sufficient /usr/lib/security/pam_mysql.so user=vpn passwd=123456 host=localhost port=3306 db=openvpn table=vpnuser usercolumn=name passwdcolumn=password sqllog=0 crypt=2 sqllog=true logtable=logtable logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=time
account required /usr/lib/security/pam_mysql.so user=vpn passwd=123456 host=localhost db=openvpn table=vpnuser usercolumn=name passwdcolumn=password sqllog=0 crypt=2 sqllog=true logtable=logtable logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=time
#------------------------------------------------------------------------------------------
注1:
crypt值表示密码在数据库中存储时不同的加密方式
0 (or “plain”):不加密,明文存储。不推荐使用。
1 (or “Y”):使用crypt(3)函数,相当于MySQL 中的ENCRYPT()函数。
2 (or “mysql”):使用MySQL 的PASSWORD()函数。
3 (or “md5″):使用MD5算法。
4 (or “sha1″):使用SHA1算法。
注2:
使用其他主机端口,改成host=ip:port
3.4、验证pam_mysql模块
saslauthd -a pam
echo "saslauthd -a pam" >> /etc/rc.local
注:/etc/init.d/saslauthd start也可以
testsaslauthd -u aaa -p 888888 -s openvpn
返回"0: OK "Success."表明pam_mysql模块认证无问题
4、安装openvpn和附加组件
cd /tools/vpn/
tar zxvf lzo-2.06.tar.gz
cd lzo-2.06
./configure --prefix=/usr/local/lzo-2.06
make && make install
cd /tools/vpn/
tar zxvf openvpn-2.2.2.tar.gz
cd openvpn-2.2.2
./configure --prefix=/usr/local/openvpn-2.2.2 \
--with-lzo-headers=/usr/local/lzo-2.06/include \
--with-lzo-lib=/usr/local/lzo-2.06/lib
make && make install
#这里使用2.0.9版本的openvpn-auth-pam.so模块,2.2.2的支持性不是很好
cd /tools/vpn/
tar zvfx openvpn-2.0.9.tar.gz
cd openvpn-2.0.9/plugin/auth-pam/
make
mkdir -p /usr/local/openvpn-2.2.2/lib
/bin/cp openvpn-auth-pam.so /usr/local/openvpn-2.2.2/lib/
5、生成CA证书和key
cd /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/
vi vars
#============================================
#删除的内容
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_EMAIL=[email protected]
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
添加的内容:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="sndapk"
export KEY_EMAIL="[email protected]"
#============================================
source /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/vars
./clean-all
注:可能会出现如下错误:(解决办法如下)
source /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/vars
**************************************************************
No /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/keys
cd /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/
cp openssl-1.0.0.cnf openssl-1.0.0.cnf.ori
mv openssl-1.0.0.cnf openssl.cnf
5.1、生成ca证书(一路回车即可)
[root@sa 2.0]# ./build-ca
5.2、生成CA签发的服务端key(除了输入y,其它一路回车即可)
[root@sa 2.0]# ./build-key-server server
5.3、生成传输进行密钥交换时使用到得密钥协议文件
[root@sa 2.0]# ./build-dh
6、配置openvpn
mkdir -p /usr/local/openvpn-2.2.2/etc
mkdir -p /usr/local/openvpn-2.2.2/log
/bin/cp -a /tools/vpn/openvpn-2.2.2/easy-rsa/2.0/keys /usr/local/openvpn-2.2.2/etc/
服务端配置文件
vim /usr/local/openvpn-2.2.2/etc/server.conf
#-------------------------------------------------------------------------
local 172.31.0.13 #VPN服务器外网IP地址
port 1194
proto tcp
dev tun
ca /usr/local/openvpn-2.2.2/etc/keys/ca.crt
cert /usr/local/openvpn-2.2.2/etc/keys/server.crt
key /usr/local/openvpn-2.2.2/etc/keys/server.key
dh /usr/local/openvpn-2.2.2/etc/keys/dh1024.pem
server 10.0.100.0 255.255.255.0 #添加的VPN路由段(非内网IP段)
ifconfig-pool-persist ipp.txt
push "route 192.168.11.0 255.255.255.0" #本机器内网的网段
script-security 3
plugin /usr/local/openvpn-2.2.2/lib/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
auth-nocache
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /usr/local/openvpn-2.2.2/log/vpn-status.log
log /usr/local/openvpn-2.2.2/log/vpn.log
log-append /usr/local/openvpn-2.2.2/log/vpn.log
verb 4
#-------------------------------------------------------------------------
客户端配置文件:
vi /usr/local/openvpn-2.2.2/etc/client.ovpn
#-------------------------------------------------------------------------
client
dev tun
proto tcp
remote 172.31.0.13 1194
persist-key
persist-tun
auth-user-pass
ca ca.crt
ns-cert-type server
comp-lzo
verb 3
mute 20
#以下两条是为了兼容WIN7
route-method exe
route-delay 2
#-------------------------------------------------------------------------
7、其它系统相关配置
7.1、开启内核转发
sed -i ‘s#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#‘ /etc/sysctl.conf
sysctl -p
7.2、启动VPN服务:
/usr/local/openvpn-2.2.2/sbin/openvpn --config /usr/local/openvpn-2.2.2/etc/server.conf &
echo "/usr/local/openvpn-2.2.2/sbin/openvpn --config /usr/local/openvpn-2.2.2/etc/server.conf &" >> /etc/rc.local
验证是否开启:
netstat -lntup|grep 1194
7.3、配置iptables SNAT
iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -j MASQUERADE
或
iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -j SNAT --to-source 172.31.0.13
/etc/init.d/iptables save && /etc/init.d/iptables restart
注:
1、需要允许tcp 1194端口
2、配置上面任意一条SNAT就可以连接到服务器所在内网了,但是内网服务器看到的来访者的IP是openvpn地址池的IP,如果需要mysql统一授权或类似统一管理的需求,可以再做一条SNAT:
iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -j SNAT --to-source 192.168.11.1
或
iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -j MASQUERADE
8、windows客户端测试
下载配置文件 for windows客户端
yum -y install lrzsz
cd /usr/local/openvpn-2.2.2/etc/keys && sz -b ca.crt
cd /usr/local/openvpn-2.2.2/etc && sz -b client.ovpn
注:
把以上两个文件放到单独文件夹,如:vpn2014,再放到windows客户端安装路径的config目录下,用于和其它vpn配置共存
修改client.ovpn名字用于识别
安装客户端软件:openvpn-2.0.9-gui-1.0.3-install.exe
连接测试:
错误-1:
tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.0.1.1 peer 10.0.1.2/32 scope global tun0 #注意 这个是我在server里面配置的IP地址段
OpenVPN连接问题排查
Sat Mar 06 16:31:42 2010 us=107000 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
解答:这个问题在Windows上发生,原因未知。解决方案如log所述:开始->所有程序->OpenVPN->Add a new TAP-Win32 virtual ethernet adapter。如果是Vista/Win7,用管理员权限执行
===================================(完成)===================================
本文出自 “notepad” 博客,请务必保留此出处http://sndapk.blog.51cto.com/5385144/1435253
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
