OpenVPN 基于用户密码方式认证

上篇文章写了基于证书的认证方式，这里记录下基于用户密码的认证方式

修改服务端 server.conf配置文件

 添加几个参数
 
#客户端不进行证书认证，如果不加将实现证书和用户密码双重认证
client-cert-not-required
 
#用户和密码验证脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
 
#使用用户名密码登录认证
username-as-common-name
 
#脚本安全级别
script-security 3

创建脚本和用户密码文件

 vim /etc/openvpn/checkpsw.sh
 
#!/bin/bash
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
 
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
 
###########################################################
 
if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
    exit 1
fi
 
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
    exit 1
fi
 
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
fi
 
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

 #增加执行权限  (2020-12-17标注：不加权限，连接会用户密码认证失败，因为执行不了脚本)
chmod +x /etc/openvpn/checkpsw.sh
 
#用户密码文件，格式：一行对应一个用户
vim /etc/openvpn/psw-file
jinc 123456
test 456789
 
#修改权限
chmod 777 /etc/openvpn/psw-file
chown root.openvpn /etc/openvpn/* -R
 
#重启openvpn服务
systemctl restart openvpn@server

win10 客户端配置文件修改

 #注释掉
;cert client.crt
;key client.key
 
#添加上
auth-user-pass

本文最后记录时间 2025-05-14
文章链接地址：https://wojc.cn/archives/570.html
本站文章除注明[转载|引用|来源|来自],均为本站原创内容,转载前请注明出处

	添加几个参数

	#客户端不进行证书认证，如果不加将实现证书和用户密码双重认证
	client-cert-not-required

	#用户和密码验证脚本
	auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

	#使用用户名密码登录认证
	username-as-common-name

	#脚本安全级别
	script-security 3

	vim /etc/openvpn/checkpsw.sh

	#!/bin/bash
	###########################################################
	# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
	#
	# This script will authenticate OpenVPN users against
	# a plain text file. The passfile should simply contain
	# one row per user with the username first followed by
	# one or more space(s) or tab(s) and then the password.

	PASSFILE="/etc/openvpn/psw-file"
	LOG_FILE="/var/log/openvpn-password.log"
	TIME_STAMP=`date "+%Y-%m-%d %T"`

	###########################################################

	if [ ! -r "${PASSFILE}" ]; then
	echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
	exit 1
	fi

	CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
	if [ "${CORRECT_PASSWORD}" = "" ]; then
	echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
	exit 1
	fi

	if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
	echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
	exit 0
	fi

	echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
	exit 1

	#增加执行权限 (2020-12-17标注：不加权限，连接会用户密码认证失败，因为执行不了脚本)
	chmod +x /etc/openvpn/checkpsw.sh

	#用户密码文件，格式：一行对应一个用户
	vim /etc/openvpn/psw-file
	jinc 123456
	test 456789

	#修改权限
	chmod 777 /etc/openvpn/psw-file
	chown root.openvpn /etc/openvpn/* -R

	#重启openvpn服务
	systemctl restart openvpn@server

	#注释掉
	;cert client.crt
	;key client.key

	#添加上
	auth-user-pass

留言已关闭 var commentReplies = document.getElementsByClassName('comment-reply'); if (document.querySelector('.comment_close')) { for (var i = 0; i < commentReplies.length; i++) { commentReplies[i].style.display = 'none'; } }

留言已关闭