使用 pam + MySQL 验证,这样不但以后给朋友开openvpn账户方便了,而且还可以多台主机使用一个 MySQL 表,实现多台服务器账户信息共享,配置过程简单整理记录如下.
前提条件:先在vps安装好OpenVPN,并且客户端可以使用证书方式正常连接。
安装 pam-mysql
apt-get install libpam-mysql libmysql++-dev libpam0g-dev libmysqlclient-dev sasl2-bin
(如果你的vps是centos/fedora系统,则yum install pam-devel -y)
建 MySQL 库,表,用户
mysql> create database vpndb; mysql> grant all on vpndb.* to myname@localhost IDENTIFIED BY 'MYPASSWORD'; mysql> FLUSH PRIVILEGES; mysql> use vpndb; mysql> CREATE TABLE vpnuser ( -> username char(20) NOT NULL, -> password char(128) default NULL, -> active int(10) NOT NULL DEFAULT 1, -> PRIMARY KEY (username) -> ); mysql> insert into vpnuser (username,password) values('somebody',password('secret'));
建议使用明文密码,否则下面的testsaslauthd命令会通不过的: mysql> insert into vpnuser (username,password) values('somebody', 'hispassword'); #创建DB用户myname,对vpndb这个database有全部的操作权限,密码为MYPASSWORD #active不为1,无权使用VPN #增加用户 用户名:somebody 密码:secret 参见:http://www.chinaunix.net/jh/50/513004.html,http://blog.chinaunix.net/u/2389/showart_15825.html
配置 pam-mysql
# cd /etc/pam.d/#nano openvpn (新建openvpn文件)
输入内容:
auth optional pam_mysql.so user=myname passwd=MYPASSWORD host=localhost db=vpndb table=vpnuser usercolumn=username passwdcolumn=password where=active=1 crypt=0 account required pam_mysql.so user=myname passwd=MYPASSWORD host=localhost db=vpndb table=vpnuser usercolumn=username passwdcolumn=password where=active=1 crypt=0注意这里 crypt=2,是指密码需要用 mysql 的 password()函数。如果 crypt=3 的话密码则需要 MD5()。建议把crypt=的值设为0,否则下面的testsaslauthd命令会通不过的。
用 sasl2 验证一下
# saslauthd -a pam (如果cyrus-sasl是编译的,则运行# saslauthd -m /var/state/saslauthd -a pam)
# testsaslauthd -u somebody -p secret -s openvpn (这个openvpn即为上面新建的openvpn文件)
如果出现0: OK "Success." 就表示pam-mysql验证没有问题了.
如果出现
0: NO "authentication failed"
则上面的mysql> insert into vpnuser (username,password) values('somebody',password('secret'));应该改为: mysql> insert into vpnuser (username,password) values('somebody','hispassword'); 即:使用明文密码。另外还要把/et/pam.d/openvpn文件中的crypt=的值改为0才行
(LDAP的验证.修改 OpenVPN的配置
#cp /usr/lib/openvpn/openvpn-auth-pam.so /etc/openvpn/ (如果openvpn是从源码编译安装的,则: # cd /root/openvpn-版本号/plugin/auth-pam/ # make 在当前目录/root/openvpn-版本号/plugin/auth-pam/下就会生成openvpn-auth-pam.so文件。然后 # cp openvpn-auth-pam.so /etc/openvpn/ ) (如果在用openvpn客户端连接的时候提示输入用户名/密码,输入后,验证不成功又跳出输入用户名/密码的对话框,并且在putty.exe中显示 AUTH-PAM: BACKGROUND: user 'tom' failed to authenticate: Module is unknown. 问题终于解决了,是由于openvpn-auth-pam.so的问题,openvpn的版本为2.1-rc11,但相应的openvpn-auth-pam.so不能用,在openvpn 源码包的解压出来的/root/openvpn-版本号/plugin/auth-pam/目录下,运行# make,在该目录下就会生成openvpn-auth-pam.so文件,替换原来的,就能正常连接了。)
# cd /etc/openvpn/easy-rsa/2.0 # openvpn --genkey --secret keys/ta.key
# cp /etc/openvpn/easy-rsa/2.0/keys/ta.key /etc/openvpn/
# nano /etc/openvpn/openvpn.conf
在最后加入:plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn
client-cert-not-required
username-as-common-name
tls-auth ta.key 0
下载ca.crt和ta.key到c:\program files\openvpn\config\,
修改客户端的conf文件:client.ovpn文件,将原来的
cert client.crt key client.key这2行注释掉,并加入:
auth-user-pass
tls-auth ta.key 1
保存即可。(以上蓝色字体部分为我所加)到此为止所有准备工作就完成了。(在mac下,用 Tunnelblick 启动这个新的客户端配置文件的话,会有对话框提示用户名和密码,输入并保存到 keychain 以后就一劳永逸了。)
另外,网上很多用户遇到了使用 sasl 验证没问题,但是 OpenVPN 验证不过去的现象:
BACKGROUND: *** failed to authenticate: Permission denied
所以,很多朋友会在这里纠结,网上找了很久,发现这个原来是pam_mysql的一个bug ,我也在这个问题上卡了好久.
Google 后,发现网上已经有可用的 patch,步骤如下:
wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
tar zxvf pam_mysql-0.7RC1.tar.gz
cd pam_mysql-0.7RC1
nano patch.in
内容如下--- Makefile.in.chold 2008-07-14 10:25:53.000000000 +0200 +++ Makefile.in 2008-07-14 10:26:06.000000000 +0200 @@ -110,7 +110,7 @@ CPPFLAGS = @CPPFLAGS@ LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ -pam_mysql_la_LIBADD = +pam_mysql_la_LIBADD = -lpam pam_mysql_la_OBJECTS = pam_mysql.lo CFLAGS = @CFLAGS@ COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)(注意:如上的patch.in其实是有问题的。它的目的其实就是修改解压出来的目录pam_mysql-0.7RC1里面的Makefile.in文件,我们把Makefile.in文件的第113行由
“pam_mysql_la_LIBADD = ”改为"pam_mysql_la_LIBADD = -lpam",保存更改。无需新建patch.in文件)
然后开始编译pam_mysql,
# ./configure
# make
# make install (这样,编译pam_mysql就顺利完成了。编译pam_mysql的做法适合在centos/fedora vps下进行。当然debian/ubuntu下,也可这样编译)
打了下划线的部分也可改为:
#nano /etc/ld.so.conf
在文件的末尾加入以下一行:
/lib/security/
#ldconfig
然后重启openvpn:
/etc/init.d/openvpn restart
(如果openvpn是编译的,则
# killall openvpn
# /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf &)
重新测试,连接 OpenVPN,工作正常!
PS:如果你的系统是 Debian 的话,squeeze 的 testing 源里面已经有了加入这个 patch 的新版 libpam-mysql,版本号为 0.7~RC1-4
参考:
- bugs.debian.org
- http://bugs.centos.org/view.php?id=4893
# mysql -u myname -p (myname为db username)
会出现Enter password:(输入数据库用户myname的密码)
之后会出现mysql的提示符:mysql>,
在mysql>处,输入use vpndb;
在mysql>处,输入insert into vpnuser (username,password) values('somebody','hispassword');
回车,出现Query Ok,openvpn server的帐号就添加完成了。(蓝色字体系我所加)
参考:
- OpenVPN how to
- OpenVPN使用User/Pass验证登录
- configure: error: C++ compiler cannot create executables
- Broken libpam-mysql
- http://itblog.blogdns.net/index.php?load=read&id=85
- http://yumax1012.blogspot.com/2007/08/openvpn_30.html
(此文不错,我设置成功.这种需要认证才能连接的openvpn,最好不要设置前置代理,如果设置了的话,反而连不上openvpn server.只需在openvpn服务器端打混淆补丁就够了)
--------------------------------------------------------------------------------------------------------------
OpenVPN with pam_mysql using username/password authentication
Here's how I setup OpenVPN with
pam_mysql using only username/password authentication (insecure, but
really easy on the admin side :P). Target platform is Ubuntu Jaunty.
For starters, you'll need the following installed:
- openvpn
- mysql - server installed and running
--- Makefile.in.chold 2008-07-14 10:25:53.000000000 +0200Save the above as patch.in in the same folder where you untar pam_mysql. Then run the following command:
+++ Makefile.in 2008-07-14 10:26:06.000000000 +0200
@@ -110,7 +110,7 @@
CPPFLAGS = @CPPFLAGS@
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
-pam_mysql_la_LIBADD =
+pam_mysql_la_LIBADD = -lpam
pam_mysql_la_OBJECTS = pam_mysql.lo
CFLAGS = @CFLAGS@
COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
That command will perform the patch process by using the patch.in file. Next, we'll need to grab some deb packages to compile the module:# patch -p0 <patch.in
Once that's done, proceed with the usual make commands (please note the extra configure options to enable SHA1 and MD5 options in the module):# apt-get install libmysql++-dev libpam0g-dev libgsasl7 libgsasl7-dev
The module should now be installed in /lib/security/pam_mysql.so. Now to configure OpenVPN. Here's my server configuration file:# ./configure --with-cyrus-sasl2 --with-openssl
# make
# make install
port 1194The most important lines are the last three lines which have been bold. Follow the commands below to setup OpenVPN server:
proto udp
dev tun
ca /etc/openvpn/easy-rsa/ca.crt
cert /etc/openvpn/easy-rsa/server.crt
key /etc/openvpn/easy-rsa/server.key
dh /etc/openvpn/easy-rsa/dh1024.pem
server 10.128.127.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 2.2.2.2"
keepalive 10 120
comp-lzo
max-clients 50
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 20
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
cd /etc/openvpnTo allow traffic to be routed from clients to the server, perform the following tasks:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
cd easy-rsa
vim vars # Edit KEY_* vars appropriately
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
echo 1 > /proc/sys/net/ipv4/ip_forwardNow to configure PAM. Create a file called openvpn in /etc/pam.d. Below are its contents:
edit /etc/sysctl.conf
Uncomment/add the line: net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 10.128.127.0/24 -o eth0 -j MASQUERADE
iptables-save
auth optional /lib/security/pam_mysql.so user=root passwd=pass host=localhost db=vpn_db table=tbl_user usercolumn=userid passwdcolumn=password where=active=1 sqllog=no crypt=4 verbose=0crypt=4 instructs pam_mysql to use SHA1. There are other options which you can view in the pam_mysql README file. OpenVPN client configuration file is shown below:
account required /lib/security/pam_mysql.so user=root passwd=pass host=localhost db=vpn_db table=tbl_user usercolumn=userid passwdcolumn=password where=active=1 sqllog=no crypt=4 verbose=0
clientVery lean and clean client config file.
dev tun
proto udp
remote my.vpn.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
cipher BF-CBC
comp-lzo
verb 4
mute 20
2 comments:
-
David said...
- Whats the SQL dump file or how do I create the database / tables in mysql?
- Wednesday, February 24, 2010 10:16:00 AM GMT+08:00
-
voiptrader said...
- try this :
mysql -u root -p
CREATE DATABASE vpn_db;
USE vpn_db;
CREATE TABLE `tbl_user` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
`userid` VARCHAR( 30 ) NOT NULL ,
`password` VARCHAR( 50 ) NOT NULL,
`active` TINYINT ( 1 ) NOT NULL,
UNIQUE (`userid`)
) ENGINE = MYISAM ;
from http://techtots.blogspot.com/2010/01/openvpn-with-pammysql-usernamepassword.html
