Centos6.5部署open***帳號密碼方式登陸

server端（路由模式）：

一.網絡設置

1.開啓服務器端路由轉發功能

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

# sysctl -p

2.設置nat轉發:

注：保證×××地址池可路由出外網

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERAD

3.時間同步：

# ntpdate asia.pool.ntp.org

二.安裝依賴庫

# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig

三.安裝open***:

#yum install open***

這裏我把個人配置貼出來

[root@localhost /etc/open***]$ cat /etc/open***/server.conf
local 0.0.0.0
port 1194
proto tcp
dev tun
ca /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/ca.crt
cert /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/server.crt
key /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/server.key
dh /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/open***/ipp.txt
push "route 172.31.0.0 255.255.0.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log /var/log/open***.log
log-append /var/log/open***.log
verb 3
client-cert-not-required #不使用客戶端證書，使用密碼進行驗證
username-as-common-name #使用認證用戶名，不使用證書
script-security 3
auth-user-pass-verify /etc/open***/checkpsw.sh via-env #指定路徑，容許登錄的用戶名及密碼

建立檢查帳號密碼腳本

vim checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se>
#
# This script will authenticate Open××× users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/open***/psw-file"
LOG_FILE="/var/log/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

四.下載easy-rsa:

easy-rsa-release-2.x.zip  網上找到資源，其餘的有時候我沒有試驗成功。

unzip easy-rsa-release-2.x.zip -d /etc/open***

cd /etc/open***/easy-rsa-release-2.x
cp easy-rsa ../

cd 2.0/

編輯 vars

[root@localhost /etc/open***]$ grep -v "^#" easy-rsa-release-2.x/easy-rsa/2.0/vars| grep -v "^$"
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="California"
export KEY_CITY="BJ"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="dachenc@test.com"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="EasyRSA"

保存推遲後給予x權限

chmod +x vars

./vars

./clean-all       #清除文件        

./build-ca server     #生成服務端

./build-dh

以上生成文件時均可以一路回車過去

生成的文件在/etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/keys文件夾中

將ca.crt拷貝到本地

chkconfig open*** on

/etc/init.d/open*** restart

client配置：

https://open***.net/index.php/open-source/downloads.html

以上路徑下載客戶端 Windows版本

安裝完畢後將路徑中sample-config的client.o***拷貝到config文件夾中

編輯config文件夾中的client.o***

client
dev tun
proto tcp
remote 公網地址 公網端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#cert user1.crt
#key user1.key
comp-lzo
verb 3
auth-user-pass

編寫密碼文件：

vi psw-file

client1 123456

chmod 777 psw-file

chown nobody.nobody psw-file

從新鏈接客戶端 輸入用戶名密碼便可登陸