checkpwd.sh

使用密码认证*open-[v]-[p]-[n]

使用脚本验证实现客户端通过账号密码认证，完成VPN接入。

服务端配置

服务端追加配置项如下：

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

在目录上添加配置脚本，脚本内容如下：

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/pwd-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

客户端楝

客户端配置追加一条配置信息：

auth-user-pass

证书的撤销

添加多个用户后，对用户的撤销操作如下“

source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/your_name/openvpn-ca/keys

./revoke-full client1
Using configuration from /home/yourname/openvpn-ca/openssl.cnf
Revoking Certificate 02.
Data Base Updated
Using configuration from /home/yourname/openvpn-ca/openssl.cnf
C = your country, ST = your province , L = your city, O = your org, OU = your unit, CN = client1, name = server, emailAddress = yourname@abc.com 
error 23 at 0 depth lookup: certificate revoked
error client1.crt: verification failed