User Tools
пакет_openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
пакет_openvpn [2024/06/13 14:05] val |
пакет_openvpn [2025/09/15 09:38] (current) val [Использование PAM аутентификации] |
||
|---|---|---|---|
| Line 58: | Line 58: | ||
| # openvpn --config /etc/openvpn/openvpn1.conf | # openvpn --config /etc/openvpn/openvpn1.conf | ||
| - | # timeout 5 openvpn --port 65500 --config /etc/openvpn/openvpn1.conf; test $? -eq 124 && echo OK | + | # timeout 5 openvpn --config /etc/openvpn/openvpn1.conf --management 127.0.0.1 65501 --port 65500; test $? -eq 124 && echo OK |
| </code> | </code> | ||
| Line 77: | Line 77: | ||
| * Начиная с Windows 7 необходимо запускать OpenVPN с правами администратора | * Начиная с Windows 7 необходимо запускать OpenVPN с правами администратора | ||
| * [[Пакет OpenSSL#Создание пользовательского сертификата, подписанного CA]] | * [[Пакет OpenSSL#Создание пользовательского сертификата, подписанного CA]] | ||
| + | |||
| + | * !!! [[https://serverfault.com/questions/607601/include-certificates-in-ovpn-file|include certificates in .OVPN file]] | ||
| <code> | <code> | ||
| Line 102: | Line 104: | ||
| ==== Индивидуальная настройка параметров клиентов ==== | ==== Индивидуальная настройка параметров клиентов ==== | ||
| + | |||
| + | * [[https://serverfault.com/questions/1048592/openvpn-routing-from-server-to-client|OpenVPN routing from server to client]] | ||
| * базируется на атрибуте CN | * базируется на атрибуте CN | ||
| Line 110: | Line 114: | ||
| ... | ... | ||
| client-config-dir ccd | client-config-dir ccd | ||
| + | #route 192.168.100+Y.0 255.255.255.0 | ||
| ... | ... | ||
| </code><code> | </code><code> | ||
| Line 115: | Line 120: | ||
| </code><code> | </code><code> | ||
| ifconfig-push 192.168.200+X.4*N+2 192.168.200+X.4*N+1 | ifconfig-push 192.168.200+X.4*N+2 192.168.200+X.4*N+1 | ||
| + | #iroute 192.168.100+Y.0 255.255.255.0 | ||
| </code> | </code> | ||
| Line 134: | Line 140: | ||
| ca /etc/ssl/certs/server.crt | ca /etc/ssl/certs/server.crt | ||
| cert /etc/ssl/certs/server.crt | cert /etc/ssl/certs/server.crt | ||
| + | key /etc/ssl/private/server.key | ||
| ... | ... | ||
| plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login | ||
| Line 139: | Line 146: | ||
| username-as-common-name | username-as-common-name | ||
| #duplicate-cn #несколько подключений под одной учетной записью | #duplicate-cn #несколько подключений под одной учетной записью | ||
| - | </code><code> | + | </code> |
| + | |||
| + | * [[#Тестирование конфигурации]] | ||
| + | * [[#Настройка клиента]] | ||
| + | <code> | ||
| cmd run as admin C:\>notepad C:\Program Files\OpenVPN\config\client.ovpn | cmd run as admin C:\>notepad C:\Program Files\OpenVPN\config\client.ovpn | ||
| - | </code><code> | + | </code> |
| + | |||
| + | <code> | ||
| ... | ... | ||
| auth-user-pass | auth-user-pass | ||
| + | #static-challenge "Enter TOTP Authenticator Code" 1 | ||
| <ca> | <ca> | ||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | ||
| Line 149: | Line 163: | ||
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
| </ca> | </ca> | ||
| + | </code> | ||
| + | |||
| + | === Включение 2FA === | ||
| + | |||
| + | <code> | ||
| + | debian:~# cp /etc/pam.d/login /etc/pam.d/openvpn | ||
| + | |||
| + | debian:~# cat /etc/pam.d/openvpn | ||
| + | </code><code> | ||
| + | auth required pam_google_authenticator.so authtok_prompt=pin | ||
| + | #auth required pam_google_authenticator.so authtok_prompt=pin user=root secret=/etc/openvpn/google-auth/${USER} | ||
| + | ... | ||
| + | </code> | ||
| + | |||
| + | * [[Использование библиотеки PAM#Использование pamtester]] | ||
| + | <code> | ||
| + | # cat /etc/openvpn/openvpn1.conf | ||
| + | </code><code> | ||
| + | ... | ||
| + | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP" | ||
| + | ... | ||
| + | </code><code> | ||
| + | debian:~# systemctl enable openvpn@openvpn1 --now | ||
| + | |||
| + | debian:~# journalctl -f | ||
| + | ... | ||
| + | Aug 29 09:45:09 debian openvpn(pam_google_authenticator)[2483]: Failed to read "/home/student/.google_authenticator" for "student" | ||
| + | ... | ||
| + | </code><code> | ||
| + | # systemctl edit openvpn@openvpn1 | ||
| + | </code><code> | ||
| + | [Service] | ||
| + | ProtectHome=no | ||
| </code> | </code> | ||
| ==== Использование RADIUS аутентификации и учета ==== | ==== Использование RADIUS аутентификации и учета ==== | ||
| - | * [[http://itinrussian.ru/freeradius-openvpn-%D0%BD%D0%B0-debian-8/|Freeradius + openvpn]] | + | * [[https://stackoverflow.com/questions/71159790/authenticate-openvpn-users-via-radius-freeradius]] |
| ===== Настройка peer2peer конфигурации ===== | ===== Настройка peer2peer конфигурации ===== | ||
пакет_openvpn.1718276745.txt.gz · Last modified: 2024/06/13 14:05 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
