openvpn 两种认证简介:
1、key分发:
在服务器端生成秘钥,然后下载到本地,将服务器端的ca.crt xx.crt xx.key ta.key(如果服务器启用的话需要,未开启的话不需要,功能是放在dos攻击)下载到本地 。将该几个文件和客户端配置文件xx.ovpn文件拷贝到openvpn客户端安装路径的config文件夹里面,然后修改xx.ovpn文件来指定从服务器下载过来的路径(特别注意windows下 xx.ovpn 编码为 ANSI,mac记手机下编码改为UTF-8)
2、user/pass 方式认证:
在服务器端的配置文件直接指定配置文件中添加用户名和密码,使用者只需把ca.crt 及固定的xx.ovpn 文件拷贝到openvpn 客户端安装的config文件夹中去,再连接的时候使用用户名密码登录即可,可以参考:
https://www.cnblogs.com/xiaoyou2018/p/9546098.html
本文是讲解使用openvpn-admin。
openvpn-admin 顾名思义为openvpn管理的web端。
https://github.com/Chocobozzz/OpenVPN-Admin
openvpn-admin 做到什么效果:
1、输入账户在web端自动下载配置文件及ca.crt (之前是手动分发到邮箱)
2、开账号及关闭账号
3、查看登录log
安装
一、首先安装 nodejs, zip解压软件, git用于下载openvpn-admin源码,npm包管理
yum install nodejs unzip git wget npm -y
yum -y install make gcc gcc-c++ gcc-g77 flex bison file libtool libtool-libs autoconf kernel-devel libjpeg libjpeg-devel libpng libpng-devel libpng10 libpng10-devel gd gd-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glib2 glib2-devel bzip2 bzip2-devel libevent libevent-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel gettext gettext-devel ncurses-devel gmp-devel pspell-devel unzip libcap lsof
二、环境搭建 (可参考:https://www.cnblogs.com/gpfeisoft/p/5999263.html)
nginx 版本: 1.12
php 版本:5.6
mysql 版本:5.7
(1)安装Nginx
yum install nginx -y
systemctl start nginx
systemctl enable nginx
配置文件
1 server { 2 listen 80; 3 server_name 192.168.199.132; 4 5 location / { 6 root /home/vhost/openvpn-admin; 7 index index.php index.html index.htm; 8 } 9 10 location ~ \.php$ { 11 12 fastcgi_pass 127.0.0.1:9000; 13 14 fastcgi_index index.php; 15 fastcgi_param SCRIPT_FILENAME /home/vhost/openvpn-admin$fastcgi_script_name; 16 include fastcgi_params; 17 18 } 19 }
启动Nginx
nginx -t (测试配置是否正确)
nginx -s reload
(2)安装mysql
在CentOS中默认安装有MariaDB,这个是MySQL的分支,但为了需要,还是要在系统中安装MySQL,而且安装完成之后可以直接覆盖掉MariaDB
安装用的Yum Repository
wget -i -c http://dev.mysql.com/get/mysql57-community-release-el7-10.noarch.rpm
yum -y install mysql57-community-release-el7-10.noarch.rpm
yum -y install mysql-community-server
至此MySQL就安装完成了,然后是对MySQL的一些设置。
systemctl start mysqld
systemctl enable mysqld
此时MySQL已经开始正常运行,不过要想进入MySQL还得先找出此时root用户的密码,通过如下命令可以在日志文件中找出密码:
grep "password" /var/log/mysqld.log
如下命令进入数据库:
[root@localhost ~]# mysql -uroot -p
输入初始密码,此时不能做任何事情,因为MySQL默认必须修改密码之后才能操作数据库:
设置密码长度
mysql> set global validate_password_policy=0; mysql> set global validate_password_length=1;
设置密码:
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'jason_zhang'; (设置新密码为jason_zhang)
新建数据库
mysql> create database jason_zhang;
因为安装了Yum Repository,以后每次yum操作都会自动更新,需要把这个卸载掉:
[root@localhost ~]# yum -y remove mysql57-community-release-el7-10.noarch
(3)安装PHP
1.安装libiconv
cd /usr/local/src
wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
tar zxvf libiconv-1.14.tar.gz
cd libiconv-1.14
./configure --prefix=/usr/local/libiconv
make && make install
cd ..
2.安装libmcrypt
wget http://iweb.dl.sourceforge.net/project/mcrypt/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz
tar zxvf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8
./configure
make && make install
cd ..
3.安装 Mhash
tar zxvf mhash-0.9.9.9.tar.gz
./configure
make && make install
cd ..
4.安装Mcrypt
wget http://iweb.dl.sourceforge.net/project/mcrypt/MCrypt/2.6.8/mcrypt-2.6.8.tar.gz
tar zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8
#注意一下这步运行下,不然下面可能报错
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
vi /etc/ld.so.conf
最后一行添加
/usr/local/lib/
保存并退出
执行载入命令:
ldconfig
cd /usr/local/src/mcrypt-2.6.8
./configure
make && make install
cd ..
5.下载安装包及编译安装
wget http://mirrors.sohu.com/php/php-5.6.6.tar.gz
tar -zxvf php-5.6.6.tar.gz
cd php-5.6.6
./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --enable-mbregex --enable-mbstring --with-mcrypt --enable-ftp --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --without-pear --with-gettext --disable-fileinfo --enable-maintainer-zts
make test
make && make install
6.修改fpm配置php-fpm.conf.default文件名称
mv /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf
7.复制php.ini配置文件
cp php.ini-production /usr/local/php/etc/php.ini
8.复制php-fpm启动脚本到init.d
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
9.赋予执行权限
chmod +x /etc/init.d/php-fpm
10.添加为启动项
chkconfig --add php-fpm
11.设置开机启动
chkconfig php-fpm on
12.按照标准,给php-fpm创建一个指定的用户和组
创建群组:groupadd www
创建一个用户,不允许登陆和不创主目录 :useradd -s /sbin/nologin -g www -M www
13.立即启动php-fpm
service php-fpm start
#或者
/etc/init.d/php-fpm start
以上所需环境安装完成
完成后用npm来安装bower
npm install -g bower
mkdir -p /home/vhost
cd !$
下载源码
git clone https://github.com/Chocobozzz/OpenVPN-Admin openvpn-admin
cp -r /home/vhost/openvpn-admin/installation/client-conf /home/vhost/openvpn-admin/client-conf
chmod -R 777 client-conf
安装依赖包:
cd /home/vhost/openvpn-admin/
bower --allow-root install
查看生成文件
[root@openvpn nginx]# cd /home/vhost/ [root@openvpn vhost]# pwd /home/vhost [root@openvpn vhost]# tree -L 2 . └── openvpn-admin ├── bower.json ├── CHANGELOG.md ├── client-conf ├── css ├── desinstall.sh ├── include ├── index.php ├── installation ├── install.sh ├── js ├── LICENSE.md ├── migration.php ├── README.md ├── sql ├── update.sh └── vendor #####生成文件 8 directories, 9 files
修改/home/vhost/openvpn-admin/include/config.php 文件中的mysql链接信息
<?php $host = 'localhost'; $port = '3306'; $db = 'jason_zhang'; (自己建的数据库) $user = 'root'; (mysql用户名) $pass = 'jason_zhang'; (mysql密码) ?>
重新加载nginx
nginx -s reload
重新进入openvpn-admin目录(即openvpn-admin的源码目录),拷贝该目录下的installation/scripts目录和server.conf到/etc/openvpn/目录下(先将以前的server.conf备份一下),修改配置文件为:
mode server port 1194 proto tcp dev tun ca /etc/openvpn/easy-rsa/3.0/pki/ca.crt cert /etc/openvpn/easy-rsa/3.0/pki/issued/openvpn.crt key /etc/openvpn/easy-rsa/3.0/pki/private/openvpn.key dh /etc/openvpn/easy-rsa/3.0/pki/dh.pem tls-auth /etc/openvpn/ta.key 0 server 10.10.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 202.101.172.46" push "dhcp-option DNS 192.168.199.1" keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 500 client-to-client persist-key persist-tun auth-user-pass-verify /etc/openvpn/scripts/login.sh via-env client-cert-not-required username-as-common-name script-security 3 status openvpn-status.log log-append openvpn.log verb 3 mute 20 client-connect /etc/openvpn/scripts/connect.sh client-disconnect /etc/openvpn/scripts/disconnect.sh
注意配置文件中的路径!!
修改/etc/openvpn/scripts/config.sh配置文件,和前面的/home/vhost/openvpn-admin/include/config.php文件一致
#!/bin/bash # MySQL credentials HOST='localhost' PORT='3306' USER='root' PASS='jason_zhang' DB='jason_zhang'
etc/openvpn/目录下新建ccd文件夹,并将ccd目录和scripts目录的设置为可执行的权限
chmod -R 777 ccd chmod -R 777 scripts
重启openvpn服务
systemctl restart openvpn@server
http://192.168.199.132/index.php?admin
账户:admin
设置密码
登陆后,新建一个openvpn user账户,查看