OpenVPN авторизация по логину и паролю

Проблемы установки, настройки и работы Правильной Операционной Системы

Модератор: terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Dark Smoke
ст. сержант
Сообщения: 313
Зарегистрирован: 2009-02-25 0:03:43
Откуда: Днепропетровск
Контактная информация:

OpenVPN авторизация по логину и паролю

Непрочитанное сообщение Dark Smoke » 2017-09-18 0:14:11

Добрый день
Ну не как не могу побороть авторизацию, помогите пожалуйста, где то косячу :( Все время не не прохожу авторизацию.
openvpn.conf

Код: Выделить всё

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vpn-server.crt
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 192.168.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
verb 3
explicit-exit-notify 1
client-cert-not-required
auth-user-pass-verify "/usr/local/etc/openvpn/verify.sh /usr/local/etc/openvpn/user.pass" via-file
client.conf

Код: Выделить всё

dev tun
proto udp
remote mail.delta.in.ua 1194
resolv-retry infinite
nobind
keepalive 10 120
comp-lzo
;user nobody
;group nobody
persist-key
persist-tun
;ca ca.crt
;cert client.crt
;key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
tls-client
;push "dhcp-option DNS 192.168.1.250"
;auth MD5
auth-user-pass
verify.sh

Код: Выделить всё

#!/bin/sh

# Config parameters

conf="/usr/local/etc/openvpn/user.pass"
logfile="/var/log/ovpnauth.log"

# End of config parameters

if [ "$1" = "" ] || [ "$1" = "help" ]
then
    echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
    echo "                   for use withauth-user-pass-verify via-file option"
    echo ""
    echo "help - prints help"
    echo "md5 password - to compute password md5 checksum"
    exit 1
fi

md5(){
        echo "$1.`uname -n`" > /tmp/$$.md5calc
        sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
        rm /tmp/$$.md5calc
        echo "$sum"
}

if [ "$1" = "md5" ]
then
        echo `md5 $2`
    exit 1
fi

log(){
    echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}

logenv(){
    enviroment="`env | awk '{printf "%s ", $0}'`"
    echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}

envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`

# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`

if [ "$password" = "$userpass" ] 
then
    log "OpenVPN authentication successfull: $username"
    logenv
    exit 0
fi

log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1
Файл с паролями

Код: Выделить всё

username=MD5 pass
Логи сервер
==> /var/log/openvpn.log <==
Mon Sep 18 00:04:13 2017 46.98.240.199 TLS: Initial packet from [AF_INET6]::ffff:46.98.240.199:37958, sid=fd962e72 3ebaa2cd
Mon Sep 18 00:04:13 2017 46.98.240.199 peer info: IV_VER=2.3.17
Mon Sep 18 00:04:13 2017 46.98.240.199 peer info: IV_PLAT=linux
Mon Sep 18 00:04:13 2017 46.98.240.199 peer info: IV_PROTO=2
Mon Sep 18 00:04:13 2017 46.98.240.199 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Mon Sep 18 00:04:13 2017 46.98.240.199 WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
Mon Sep 18 00:04:13 2017 46.98.240.199 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 18 00:04:13 2017 46.98.240.199 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mon Sep 18 00:04:13 2017 46.98.240.199 Peer Connection Initiated with [AF_INET6]::ffff:46.98.240.199:37958
Mon Sep 18 00:04:16 2017 46.98.240.199 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 18 00:04:16 2017 46.98.240.199 Delayed exit in 5 seconds
Mon Sep 18 00:04:16 2017 46.98.240.199 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 18 00:04:21 2017 46.98.240.199 SIGTERM[soft,delayed-exit] received, client-instance exiting
Логи клиента
Mon Sep 18 00:04:22 2017 OpenVPN 2.3.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 20 2017
Mon Sep 18 00:04:22 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Enter Auth Username: ****
Enter Auth Password: ****
Mon Sep 18 00:04:25 2017 Control Channel Authentication: tls-auth using INLINE static key file
Mon Sep 18 00:04:25 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep 18 00:04:25 2017 UDPv4 link local: [undef]
Mon Sep 18 00:04:25 2017 UDPv4 link remote: [AF_INET]195.248.184.7:1194
Mon Sep 18 00:04:25 2017 TLS: Initial packet from [AF_INET]195.248.184.7:1194, sid=f32c6ae4 a55eb273
Mon Sep 18 00:04:25 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 18 00:04:25 2017 VERIFY OK: depth=1, CN=Easy-RSA CA
Mon Sep 18 00:04:25 2017 Validating certificate key usage
Mon Sep 18 00:04:25 2017 ++ Certificate has key usage 00a0, expects 00a0
Mon Sep 18 00:04:25 2017 VERIFY KU OK
Mon Sep 18 00:04:25 2017 Validating certificate extended key usage
Mon Sep 18 00:04:25 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 18 00:04:25 2017 VERIFY EKU OK
Mon Sep 18 00:04:25 2017 VERIFY OK: depth=0, CN=vpn-server
Mon Sep 18 00:04:25 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Sep 18 00:04:25 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Sep 18 00:04:25 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 00:04:25 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Sep 18 00:04:25 2017 [vpn-server] Peer Connection Initiated with [AF_INET]195.248.184.7:1194
Mon Sep 18 00:04:28 2017 SENT CONTROL [vpn-server]: 'PUSH_REQUEST' (status=1)
Mon Sep 18 00:04:28 2017 AUTH: Received control message: AUTH_FAILED
Mon Sep 18 00:04:28 2017 SIGTERM[soft,auth-failure] received, process exiting

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Dark Smoke
ст. сержант
Сообщения: 313
Зарегистрирован: 2009-02-25 0:03:43
Откуда: Днепропетровск
Контактная информация:

OpenVPN авторизация по логину и паролю

Непрочитанное сообщение Dark Smoke » 2017-09-18 23:56:35

Крутил крутил и докрутился до такого
На сервере

Код: Выделить всё

Mon Sep 18 23:54:03 2017 178.215.168.56 TLS: Initial packet from [AF_INET6]::ffff:178.215.168.56:47298, sid=5ea9a366 0877fc79
Mon Sep 18 23:54:03 2017 178.215.168.56 OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Mon Sep 18 23:54:03 2017 178.215.168.56 TLS_ERROR: BIO read tls_read_plaintext error
Mon Sep 18 23:54:03 2017 178.215.168.56 TLS Error: TLS object -> incoming plaintext read error
Mon Sep 18 23:54:03 2017 178.215.168.56 TLS Error: TLS handshake failed
Mon Sep 18 23:54:03 2017 178.215.168.56 SIGUSR1[soft,tls-error] received, client-instance restarting
На клиенте

Код: Выделить всё

Enter Auth Username: ****
Enter Auth Password: ****
Mon Sep 18 23:54:15 2017 Control Channel Authentication: tls-auth using INLINE static key file
Mon Sep 18 23:54:15 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 23:54:15 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 18 23:54:15 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Sep 18 23:54:15 2017 UDPv4 link local: [undef]
Mon Sep 18 23:54:15 2017 UDPv4 link remote: [AF_INET]195.248.184.7:1194
Mon Sep 18 23:54:15 2017 TLS: Initial packet from [AF_INET]195.248.184.7:1194, sid=8269d796 14d82ee4
Mon Sep 18 23:54:15 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 18 23:54:15 2017 VERIFY OK: depth=1, CN=Easy-RSA CA
Mon Sep 18 23:54:15 2017 Validating certificate key usage
Mon Sep 18 23:54:15 2017 ++ Certificate has key usage  00a0, expects 00a0
Mon Sep 18 23:54:15 2017 VERIFY KU OK
Mon Sep 18 23:54:15 2017 Validating certificate extended key usage
Mon Sep 18 23:54:15 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Sep 18 23:54:15 2017 VERIFY EKU OK
Mon Sep 18 23:54:15 2017 VERIFY OK: depth=0, CN=vpn-server
^CMon Sep 18 23:54:36 2017 event_wait : Interrupted system call (code=4)
Mon Sep 18 23:54:36 2017 SIGINT[hard,] received, process exiting

Аватара пользователя
skeletor
майор
Сообщения: 2548
Зарегистрирован: 2007-11-16 18:22:04

OpenVPN авторизация по логину и паролю

Непрочитанное сообщение skeletor » 2017-09-26 17:04:28

Я когда-то делал так: http://skeletor.org.ua/?p=1571