简介

OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。OpenVPN允许参与建立VPN的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1 协议函式库。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。
OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。 OpenVPN所有的通信都基于一个单一的IP端口, 默认且推荐使用UDP协议通讯,同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客 户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们, 可以建立三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。在选择协议时候,需要注意2个加密隧道之间的网络状况,如有高延迟或者丢包较多的情况下,请选择TCP协议作为底层协议,UDP协议由于存在无连接和重传机制,导致要隧道上层的协议进行重传,效率非常低下。
该软件最早由James Yonan编写。OpenVPN允许参与建立VPN的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。
OpenVPN能在Linux、xBSD、Mac OS X与Windows2000/XP上运行。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。

食用指南

下载easy-rsa制作证书工具

[root@localhost ~]# git clone https://github.com/OpenVPN/easy-rsa-old.git
[root@localhost ~]# cd easy-rsa-old-master/easy-rsa/2.0/
[root@localhost 2.0]# ls
build-ca     build-key-pass    build-req-pass  openssl-0.9.6.cnf  revoke-full
build-dh     build-key-pkcs12  clean-all       openssl-0.9.8.cnf  sign-req
build-inter  build-key-server  inherit-inter   openssl-1.0.0.cnf  vars
build-key    build-req         list-crl        pkitool            whichopensslcnf

配置vars文件

[root@localhost 2.0]# vim vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export DH_KEY_SIZE=2048
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="GuangZhou"
export KEY_ORG="IF010"
export KEY_EMAIL="admin@if010.com"
export KEY_EMAIL=admin@if010.com
export KEY_CN=IF010
export KEY_NAME=IF010
export KEY_OU=IF010
export PKCS11_MODULE_PATH=IF010
export PKCS11_PIN=123456

修改后保存文件,然后运行命令source ./vars使配置生效。

生成证书文件保存目录

[root@localhost 2.0]# ./clean-all 
[root@localhost 2.0]# ls
build-ca     build-key         build-key-server  clean-all      list-crl           openssl-1.0.0.cnf  sign-req
build-dh     build-key-pass    build-req         inherit-inter  openssl-0.9.6.cnf  pkitool            vars
build-inter  build-key-pkcs12  build-req-pass    keys           openssl-0.9.8.cnf  revoke-full        whichopensslcnf

可以看到在当前目录下生成了一个keys目录,该目录用于保存生成的证书文件。

生成根证书和秘钥

执行命令后全部回车即可,因为内容我们已经在vars文件中进行配置了。如果需要设置证书的密码,可以在该命令运行过程中自行设置。

[root@localhost 2.0]# ./build-ca
[root@localhost 2.0]# ls keys/
ca.crt  ca.key  index.txt  serial

可以看到生成了ca.crt证书和ca.key秘钥文件

生成服务端证书和秘钥

[root@localhost 2.0]# ./build-key-server server
#后面的server表示生成的证书文件名称,可以自定义
Generating a 4096 bit RSA private key
............................................................................................................................................................................++
.................................................................................++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [IF010]:
Organizational Unit Name (eg, section) [IF010]:
Common Name (eg, your name or your server's hostname) [server]:
Name [IF010]:
Email Address [admin@if010.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa-old-master/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'GuangZhou'
organizationName      :PRINTABLE:'IF010'
organizationalUnitName:PRINTABLE:'IF010'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'IF010'
emailAddress          :IA5STRING:'admin@if010.com'
Certificate is to be certified until Feb 27 01:35:25 2031 GMT (3650 days)
Sign the certificate? [y/n]:y      #此处输入y

1 out of 1 certificate requests certified, commit? [y/n]y      #此处输入y

Write out database with 1 new entries
Data Base Updated

[root@localhost 2.0]# ls keys/
01.pem  ca.crt  ca.key  index.txt  index.txt.attr  index.txt.old  serial  serial.old  server.crt  server.csr  server.key

可以看到生成了server.crt证书文件、server.csr和server.key秘钥文件

生成客户端在证书和秘钥

#过程和生成服务端证书和秘钥一样,kim表示生成的客户端证书文件名称
[root@localhost 2.0]# ./build-key kim  

#查看生成的三个客户端证书文件
[root@localhost 2.0]# ls keys/kim*
keys/kim.crt  keys/kim.csr  keys/kim.key

除了build-key,还可以使用build-key-pass设置带密码的客户证书

生成秘钥交换文件

[root@localhost 2.0]# ./build-dh

#查看生成的该文件即为秘钥交换文件
[root@localhost 2.0]# ls keys/dh*
keys/dh2048.pem

生成ta.key文件,用于拒绝服务攻击:

[root@localhost 2.0]# openvpn --genkey --secret ta.key

安装和配置OpenVPN

安装OpenVPN软件,可以直接使用apt或者yum等命令进行安装,但是在CentOS系统中需要注意的是YUM默认源中并秘钥该软件,需要安装epel源。

[root@localhost ~]# yum install -y epel-release
[root@localhost ~]# yum install openvpn -y

安装好之后默认并没有配置文件,需要从模板文档中进行复制在进行修改。

[root@localhost ~]# cat /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf | grep -v "#" | grep [^$] | grep -v ";" > /etc/openvpn/
[root@localhost ~]# cd /etc/openvpn/
[root@localhost openvpn]# ls
client  server  server.conf
[root@localhost openvpn]# cat server.conf | grep -v "#" | grep [^$] | grep -v ";"    
port 1194    # 指定监听端口    
local 0.0.0.0    # 指定监听地址    
proto tcp    # 指定监听端口
dev tun
ca /etc/openvpn/keys/ca.crt    # 指定CA证书路径
cert /etc/openvpn/keys/server.crt    # 指定Server证书路径
dh /etc/openvpn/keys/dh2048.pem    # 指定秘钥交换文件
key /etc/openvpn/keys/server.key    # 指定Server秘钥路径
server 10.8.0.0 255.255.255.0    # 设置IP地址池
ifconfig-pool-persist ipp.txt
push "route 172.18.0.0 255.255.0.0"    # 设置推送路由
push "route 10.8.0.0 255.255.255.0"    # 设置推送路由
push "route 0.0.0.0 0.0.0.0"    # 设置推送路由
keepalive 10 120    # 设定保持连接测试,10秒ping一次,120ms超时自动断开
tls-auth /etc/openvpn/keys/ta.key 0    # 指定ta.key文件路径
cipher AES-256-CBC
persist-key
persist-tun
client-to-client    #设置允许客户端与客户端之间访问
comp-lzo    #启用lzo压缩模块
status /var/log/openvpn/openvpn-status.log    # 指定连接状态文件写入路径
log /var/log/openvpn/openvpn.log    # 指定日志路径
log-append /var/log/openvpn/openvpn.log
verb 9    # 日志写入等级,0级最低,9级最高
mute 20

配置文件修改好之后我们将上一节中制作的服务端证书文件复制到配置文件中指定的路劲下:

[root@localhost openvpn]# cp -a /root/easy-rsa-old-master/easy-rsa/2.0/keys /etc/openvpn/

启用路由转发功能:

[root@localhost ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p

启动OpenVPN服务器,并查看服务是否已经启动:

[root@localhost openvpn]# openvpn --daemon --config server.conf

[root@localhost openvpn]# netstat -ntulp | grep 1194
tcp    0    0 0.0.0.0:1194    0.0.0.0:*    13953/openvpn

OpenVPN客户端配置

OpenVPN客户端需要的东西:ca.crt、kim.crt、kim.key、kim.ovpn、ta.key

其中kim.ovpn的内容为如下:

kim
dev tun
proto tcp
remote vpn.if010.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kim.crt
key kim.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
redirect-gateway autolocal
comp-lzo
verb 3

将上面所需的文件建立一个文件夹放在一起,然后放在OpenVPN Connet软件安装路径下即可食用

日常维护食用指南

吊销客户证书

[root@localhost 2.0]# ./revoke-full kim
Using configuration from /root/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Revoking Certificate 02.
Data Base Updated
Using configuration from /root/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
kim.crt: C = CN, ST = GD, L = GuangZhou, O = IF010, OU = IF010, CN = kim, name = IF010, emailAddress = kim@if010.com
error 23 at 0 depth lookup:certificate revoked

如果显示error 23 at 0 depth lookup,可将openssl-1.0.0.cnf文件最后7行注释掉,但有时不注释报错了也会吊销成功,推荐还是注释掉保险点

执行吊销否会生成文件

[root@localhost 2.0]# ll keys/crl.pem 
-rw-r--r-- 1 root root 1072 May 29 16:06 keys/crl.pem

# 可通过index.txt来查看被吊销了的证书,前面带R的就是被吊销了的
[root@localhost 2.0]# cat keys/index.txt
V       320525085611Z           01      unknown /C=CN/ST=GD/L=GuangZhou/O=IF010/OU=IF010/CN=server/name=IF010/emailAddress=admin@if010.com
R       320525085814Z   220529080106Z   02      unknown /C=CN/ST=GD/L=GuangZhou/O=IF010/OU=IF010/CN=kim/name=IF010/emailAddress=kim@if010.com
V       320525102521Z           03      unknown /C=CN/ST=GD/L=GuangZhou/O=IF010/OU=IF010/CN=mingo/name=IF010/emailAddress=mingo@if010.com

# 拷贝crl.pem到openvpn的keys下
[root@localhost 2.0]# cp keys/crl.pem /etc/openvpn/keys/
# 追加crl文件路径配置到server.conf文件
[root@localhost 2.0]# echo "crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf

将客户端证书内置到配置文件

OpenVPN允许将以下参数对应的文件内容放到主配置文件中: cacertextra-certskeypkcs12secretcrl-verifyhttp-proxy-user-passtls-authauth-gen-token-secrettls-crypttls-crypt-v2

最常用的有ca.crt、client.crt、client.key、ta.key、tls-auth

栗子:

client
dev tun
proto tcp
remote vpn.if010.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
comp-lzo
auth-user-pass
push-peer-info
key-direction 1    

<ca>
-----BEGIN CERTIFICATE-----
MIIGpDCCBIygAwIBAgIJANnzfP1SF9lsMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD
VQQGEwJDTjELMAkGA1UECBMCR0QxEjAQBgNVBAcTCUd1YW5nWmhvdTEOMAwGA1UE
ChMFSUYwMTAxDjAMBgNVBAsTBUlGMDEwMRIwEAYDVQQDEwlpZjAxMC5jb20xDjAM
BgNVBCkTBUlGMDEwMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBpZjAxMC5jb20wHhcN
MjIwNTI4MDg1NDM4WhcNMzIwNTI1MDg1NDM4WjCBkjELMAkGA1UEBhMCQ04xCzAJ
BgNVBAgTAkdEMRIwEAYDVQQHEwlHdWFuZ1pob3UxDjAMBgNVBAoTBUlGMDEwMQ4w
DAYDVQQLEwVJRjAxMDESMBAGA1UEAxMJaWYwMTAuY29tMQ4wDAYDVQQpEwVJRjAx
MDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AaWYwMTAuY29tMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEA0DBcVmFdfJ/r6/6vS+27kF8wKr3czDrAiJm6ECUK
0AyU42qeGkkiEA8OPEJbRLVJ+HS7bA3AZfP283PSvXVx5c9UQljlqQw9lQvuC/CJ
8Y9UlWFLqucv7EuZXE6R4zscXwcushUrEGuP+i+VlJWodVQ9I+iaQLNvv1qgCNLS
6J0t3pta4d9Ka+SDqTTyHaPgOU7TOmPg6J12WFD95QpWLy902gnIkY1GLG9ao6ng
g1LEY9CycG+bHAKoG57BN4C48xYCGWVOTBN3ruikdvzv2pmvSnahjYaecS8gRPxC
+rx7wvWBj1BCxwR+8zXzxCl18lUU97CaQjSMTDrgsVKv7t9a3cjbT/Lz7ncQo0pe
QieF2V3GhF7XwJZR2doTS7ain63IQ1XcujzaUOIXEsyZyC1L1dODG6SyzrTC41Sl
soMYWHxdaKCjVlmzSeXur7iCirXx/j2RDtunNfz9je+3lM0z2nrZK2HP4TRcXWPz
Z+baMS2+eCffBmN1XG8IvotGyqZMbJWoyAdxZ1EpCYauSSQWdO5m1pHAM814RUUb
xIlIrEMkDvT72t3wgtQT4e3ZoZvm6aVPNqo2UNaICneUSi8UQsOn6Fug4kWAx0Oy
SJCJXS6LK4lBMIYVbzE68MEDFERB3eTHUoSpfRmymBJOWHZXL09nrO0zW0qbWXRl
mDsCAwEAAaOB+jCB9zAdBgNVHQ4EFgQUdl2N7of8WZf1+XmVgRcFIIO06M8wgccG
A1UdIwSBvzCBvIAUdl2N7of8WZf1+XmVgRcFIIO06M+hgZikgZUwgZIxCzAJBgNV
BAYTAkNOMQswCQYDVQQIEwJHRDESMBAGA1UEBxMJR3VhbmdaaG91MQ4wDAYDVQQK
EwVJRjAxMDEOMAwGA1UECxMFSUYwMTAxEjAQBgNVBAMTCWlmMDEwLmNvbTEOMAwG
A1UEKRMFSUYwMTAxHjAcBgkqhkiG9w0BCQEWD2FkbWluQGlmMDEwLmNvbYIJANnz
fP1SF9lsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBACRl+jPRdcoT
NxU8AGho1cZKLanNah6Uz9BjLKWsi9765I9jeKiEQ/oqGIeOv4DnRRpW/CtASL7J
NynJYvf/1j0tZ6IE95nNEmGiPxdfSPn7IVhlp/nCpShUKZ87KBk3K1CJ0ZqrrBDM
LPxsny+f0pcj66kvOkcv4qbqo1RFgyJzqVZU5KPSL2nowXx7Cgi/7x0lXdjx3HKo
nOKZsRD57V+DHSnu1A26IrxL0mckyjcX/q7T4seQY5zLuApGevBTZ+k7pySjhKag
lebIOCmAdLQBsVAMQZT+V75hqbvvYO21ADBE0S8DqjzynyqmHMGl/rSHq8z4vWHu
LSiGQQ0nRaf0e9bcpZlE3kHn154egsKYls37eoMW4Dkei2teqYKMVHaJyD37AhrO
dsVVmLoM6K50B5LEgSSc62SmmjUYmMJ01HGz8bCex0p3AEMXtk0saqIjx77RqoxW
F8ewJcmwCOSiigKizJ4cXxbgHEH31SbfOi3tydvNLj7Krrz8o/9zQE7xlymyfG6L
erraFu6lhPb2UK7z8S7Jn82fitzOHGtPewZJxf0+Bp6JejKLlGk1PtwXkEjnxvNk
5nByFwUx6n7C6A2lJSc0ryKceTuGxVZvTdJgCyKw2fDSIiFIF7cJICdgfkBg3ox6
OWSXMaiU5i8Ys1qhDhCbqKMSExb3F3TU
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
6d45a7d445f6a673e14adec4423db308
5a35d48405667ec3fc3a7beaff3688e8
2edbdab0bc05a283cdf8f184458e2ebb
bbe57ea03e66f3b1dcf7b96401354786
f2b85edcc686242455d708861facac44
cc8157d77bf1cf52d821ec1d8707d892
40d53aa6be501c19806bc7b3e3c67b35
8bad024f4724146b5604dacda9a62c59
1117ff9602c8ed24608479803b7b7942
5fa5d495111ded159bdf96bbb397a18f
e59ded874c724a369f8cc73a8a22c954
f7dcda7f9e34c6e2a3e87c3f00dfb6fa
49516a2f2a336d4ae65fbf9532a0acd6
805255983aef0ea33100c910fdf8c4c5
0667aec5f8a77fb9cbb013a878b3ebdd
724272418177ea7e88d7fcff1f050ecd
-----END OpenVPN Static key V1-----
</tls-auth>

翻墙配置方案

[root@localhost]# vim /etc/openvpn/server.conf
port 1194
local 0.0.0.0
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
dh /etc/openvpn/keys/dh2048.pem
key /etc/openvpn/keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# 推送默认默认网关和DNS设置
push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
client-to-client
comp-lzo
crl-verify /etc/openvpn/keys/crl.pem
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20

路由转发配置

[root@localhost]# vim /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.

# Firewall configuration written by system-config-firewall  Manual customization of this file is not recommended. 
*filter  
:INPUT ACCEPT [0:0]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [0:0] 
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT  
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT 
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#允许分配的地址段从内网网卡转发
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

OpenVPN的8种认证方式

  1. 通过本地证书密钥认证
  2. 通过本地文件认证
  3. 通过数据库认证
  4. LDAP统一认证
  5. Redis认证
  6. 利用微软的活动目录认证
  7. 结合U盾设备认证
  8. 通过无线网络认证

这里只演示本地文件认证的方式

配置server.conf文件

[root@localhost]# vim /etc/openvpn/server.conf
port 1194
local 0.0.0.0
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
dh /etc/openvpn/keys/dh2048.pem
key /etc/openvpn/keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"

# 指定脚本接收变量验证
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
# 不需要请求客户证书
client-cert-not-required
# 使用用户名验证
username-as-common-name
# 允许使用自定义脚本
script-security 3

keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
client-to-client
comp-lzo
crl-verify /etc/openvpn/keys/crl.pem
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20

编写checkpsw.sh脚本

[root@localhost]# vim /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

[root@localhost]# chmod +x /etc/openvpn/checkpsw.sh
[root@localhost]# ll /etc/openvpn/checkpsw.sh 
-rwxr-xr-x 1 root root 1191 May 29 17:44 checkpsw.sh

这个脚本原本是通过http://openvpn.se/files/other/checkpsw.sh下载的,但是国内被墙了,无法访问,这里提供给大家

配置账密认证文件

[root@localhost]# vim /etc/openvpn/psw-file
kim 123456
mingo 123456
test 123456

客户端连接配置文件

test
dev tun
proto tcp
remote vpn.if010.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
verb 3
comp-lzo
client-cert-not-required   #不询问用户证书
auth-user-pass    #询问用户名密码
Last modification:July 14, 2022
© Allow specification reprint
-