我已经使用 Easy-RSA 安装了一个 OpenVPN 服务器。我生成了证书并在 CA 服务器上对其进行了签名,然后将其复制回 VPN 服务器。我可以通过证书(无需用户名/密码)建立客户端-服务器连接,没有任何问题。
此时,我想通过 Freeradius 启用用户名/密码验证。
服务器配置文件
port 1192
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 1
我已将这一行添加到 server.conf 中,以将 Freeradius 身份验证与 OpenVPN 集成:
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0
/etc/pam.d/ovpn-0
auth required /home/ubuntu/pam_radius/pam_radius_auth.so conf=/etc/pam.d/pam_radius_auth.conf
/etc/pam.d/pam_radius_auth.conf
127.0.0.1 client123 3
client.ovpn 的设置方式如下:
client
auth-user-pass pass.txt
dev tun
proto udp
remote 18.133.xxx.xx 1192
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 4
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
58:08:xxxxx
Signature Algorithm: ecdsa-with-SHA512
Issuer: CN=Easy-RSA CA
Validity
Not Before: Jul 29 11:45:51 2020 GMT
Not After : Jul 14 11:45:51 2023 GMT
Subject: CN=client1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:09:e8:a9:d2:2a:18:a8:23:f3:d2:48:2c:18:25:
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
5B:B0:xxx
X509v3 Authority Key Identifier:
keyid:B8:xxx
DirName:/CN=Easy-RSA CA
serial:03:DE:xxx
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ecdsa-with-SHA512
30:66:02:31:00:9c:db:34:fe:f7:c7:e4:52:2d:2c:6f:88:de:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
当我尝试连接时,出现了以下信息:
AUTH-PAM:BRACKAGE:用户“houman”验证失败:模块未知
我已经尝试了所有能想到的方法,但 OpenVPN 服务器拒绝访问本地 FreeRadius 服务器来对用户进行身份验证。
为了确保上面的 ovpn-0 PAM 设置实际上可以访问 Freeradius。我这样做了:
root@o1:/home/ubuntu# sudo pamtester -v ovpn-0 houman authenticate
pamtester: invoking pam_start(ovpn-0, houman, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
它显然有效。为什么 OpenVPN 会这样?请问我该怎么办?我被困了 10 天,任何提示或建议都非常感谢。