This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
пакет_openvpn [2020/07/23 15:16] val [Мониторинг сервиса] |
пакет_openvpn [2022/06/20 08:27] val [Использование PAM аутентификации вместо клиентских сертификатов] |
||
---|---|---|---|
Line 37: | Line 37: | ||
server 192.168.200+X.0 255.255.255.0 | server 192.168.200+X.0 255.255.255.0 | ||
push "route 192.168.100+X.0 255.255.255.0" | push "route 192.168.100+X.0 255.255.255.0" | ||
+ | |||
+ | #push "dhcp-option DNS 172.16.1.254" | ||
+ | #push "block-outside-dns" | ||
+ | |||
dh /etc/openvpn/dh2048.pem | dh /etc/openvpn/dh2048.pem | ||
+ | |||
ca /etc/ssl/certs/ca.crt | ca /etc/ssl/certs/ca.crt | ||
crl-verify /etc/ssl/certs/ca.crl | crl-verify /etc/ssl/certs/ca.crl | ||
cert /etc/ssl/certs/gate.crt | cert /etc/ssl/certs/gate.crt | ||
key /etc/ssl/private/gate.key | key /etc/ssl/private/gate.key | ||
+ | |||
status /var/log/openvpn1-status.log | status /var/log/openvpn1-status.log | ||
</code> | </code> | ||
- | Тестирование конфигурации | + | === Тестирование конфигурации === |
<code> | <code> | ||
# openvpn --config /etc/openvpn/openvpn1.conf | # openvpn --config /etc/openvpn/openvpn1.conf | ||
+ | |||
+ | # timeout 5 openvpn --config /etc/openvpn/openvpn1.conf; test $? -eq 124 && echo OK | ||
</code> | </code> | ||
- | Включение и запуск | + | === Включение и запуск === |
<code> | <code> | ||
Line 94: | Line 102: | ||
</code> | </code> | ||
- | ==== Использование PAM аутентификации вместо клиентских сертификатов ==== | + | ==== Использование PAM аутентификации ==== |
* [[https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module|Setup PAM authentication with OpenVPN's auth-pam module]] | * [[https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module|Setup PAM authentication with OpenVPN's auth-pam module]] | ||
* [[https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam|openvpn/src/plugins/auth-pam/]] | * [[https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam|openvpn/src/plugins/auth-pam/]] | ||
+ | * [[https://openvpn.net/community-resources/using-alternative-authentication-methods/|OpenVPN Using alternative authentication methods]] | ||
+ | * [[Пакет OpenSSL#Создание самоподписанного сертификата]] | ||
<code> | <code> | ||
gate# cat /etc/pam.d/login | gate# cat /etc/pam.d/login | ||
Line 107: | Line 117: | ||
#### crl-verify ... | #### crl-verify ... | ||
- | #ca /etc/ssl/certs/ca.crt | + | ca /etc/ssl/certs/server.crt |
- | или | + | cert /etc/ssl/certs/server.crt |
- | #ca /etc/ssl/certs/gate.crt #may be selfsigned | + | |
- | + | ||
- | cert /etc/ssl/certs/gate.crt | + | |
... | ... | ||
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login | ||
verify-client-cert none | verify-client-cert none | ||
username-as-common-name | username-as-common-name | ||
+ | #duplicate-cn #несколько подключений под одной учетной записью | ||
</code><code> | </code><code> | ||
C:\>notepad C:\Program Files\OpenVPN\config\client.ovpn | C:\>notepad C:\Program Files\OpenVPN\config\client.ovpn | ||
Line 179: | Line 187: | ||
... | ... | ||
management localhost 7505 | management localhost 7505 | ||
+ | # management 0.0.0.0 7505 | ||
... | ... | ||
</code><code> | </code><code> | ||
Line 184: | Line 193: | ||
</code><code> | </code><code> | ||
status | status | ||
+ | |||
+ | kill user1 | ||
</code> | </code> | ||