专栏名称: 云技术实践
关注云计算,云技术,云运维,云存储,存储,分布式,OpenStack,SDN,Ceph,虚拟化,运维,分享在云计算/虚拟化/运维项目实施中的资讯、经验、技术,坚持干货。
目录
相关文章推荐
架构师之路  ·  deepseek开源了FlashMLA,但它 ... ·  1 周前  
架构师之路  ·  从“配置私藏”到“配置中心”,你到了哪个阶段 ... ·  4 天前  
架构师之路  ·  疯了!居然有人试图让我搞懂,什么是DeepG ... ·  5 天前  
架构师之路  ·  deepseek开源第二弹DeepEP,但它 ... ·  6 天前  
美团技术团队  ·  美团2025年春季校园招聘全球启动 ·  5 天前  
51好读  ›  专栏  ›  云技术实践

openvpn结合mysq实现用户密码管理

云技术实践  · 公众号  · 架构  · 2017-07-07 17:30

正文


1.安装mysql


yum -y install mysql mysql-server

chkconfig mysqld on

service mysqld start

2.创建openvpn数据库


添加vpn用户,允许访问数据库


GRANT ALL ON openvpn.* TO vpn@'%' IDENTIFIED BY 'vpn@2017_shanghai' WITH GRANT OPT0ION;


GRANT ALL ON openvpn.* TO vpn@'172.16.0.14' IDENTIFIED BY 'vpn@2017_shanghai' WITH GRANT OPTION;


创建数据库openvpn


CREATE DATABASE IF NOT EXISTS openvpn DEFAULT CHARSET utf8;


创建用户表


userCREATETABLE`user`(


-> `username`char(32)collateutf8_unicode_ci NOTNULL,


-> `password`char(128)collateutf8_unicode_ci defaultNULL,


-> `active`int(10)NOTNULL default'1',


-> `creation`timestampNOTNULL defaultCURRENT_TIMESTAMP,


-> `name`varchar(32)collateutf8_unicode_ci NOTNULL,


-> `email`char(128)collateutf8_unicode_ci defaultNULL,


-> `note`textcollateutf8_unicode_ci,


-> `quota_cycle`int(10)NOTNULL default'30',


-> `quota_bytes`bigint(20)NOTNULL default'10737418240',


-> `enabled`int(10)NOTNULL default'1',


-> PRIMARY KEY (`username`),


-> KEY`idx_active`(`active`),


-> KEY`idx_enabled`(`enabled`)


->) ENGINE=MyISAMDEFAULTCHARSET=utf8COLLATE=utf8_unicode_ci;


创建日志表logCREATETABLE`log`(


`username`varchar(32)COLLATEutf8_unicode_ci NOTNULL,


`start_time`timestampNOTNULL DEFAULTCURRENT_TIMESTAMP,


`end_time`timestampNOTNULL DEFAULT'0000-00-0000:00:00',


`trusted_ip`varchar(64)COLLATEutf8_unicode_ci DEFAULTNULL,


`trusted_port`int(10)DEFAULTNULL,


`protocol`varchar(16)COLLATEutf8_unicode_ci DEFAULTNULL,


`remote_ip`varchar(64)COLLATEutf8_unicode_ci DEFAULTNULL,


`remote_netmask`varchar(64)COLLATEutf8_unicode_ci DEFAULTNULL,


`bytes_received`bigint(20)DEFAULT'0',


`bytes_sent`bigint(20)DEFAULT'0',


`status`int(10)NOTNULL DEFAULT'1',


KEY`idx_username`(`username`),


KEY`idx_start_time`(`start_time`),


KEY`idx_end_time`(`end_time`)


)ENGINE=MyISAMDEFAULTCHARSET=utf8COLLATE=utf8_unicode_ci;


添加测试用户


INSERT INTO user(username,password,name) VALUES('user1',ENCRYPT('123456'),'user1');


3.安装配置pam_mysql


yum install -y pam_krb5 pam_mysql pam pam-devel


cat /etc/pam.d/openvpn


auth sufficient /lib64/security/pam_mysql.so user=vpn passwd=vpn@2017_shanghai host=172.16.0.14 db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1


account required /lib64/security/pam_mysql.so user=vpnpasswd=vpn@2017_shanghai host=172.16.0.14 db=openvpn table=user usercolumn=username passwdcolumn=password where=active=1 sqllog=0 crypt=1



4.安装openvpn


yuminstall openvpn easy-rsa


cp /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so/etc/openvpn/#复制easy-rsa


mkdir-p /etc/openvpn/easy-rsa/


cp-r /usr/share/easy-rsa/2.0/*/etc/openvpn/easy-rsa


生成证书


cd /etc/openvpn/easy-rsa


source./vars


sh./clean-all


sh./build-ca


sh./build-key-server server


sh./build-dh


创建/etc/openvpn/server.conf文件


local 外网ip


port 1195


proto udp


dev tun


ca /etc/openvpn/easy-rsa/keys/ca.crt


cert /etc/openvpn/easy-rsa/keys/server.crt


key /etc/openvpn/easy-rsa/keys/server.key    #This file should be kept secret


dh /etc/openvpn/easy-rsa/keys/dh2048.pem


server 192.168.200.0255.255.255.0


ifconfig-pool-persist ipp.txt


push "route 192.168.0.0 255.0.0.0"


push "route 172.16.0.0 255.0.0.0"


client-to-client


keepalive 10 120


comp-lzo


status /usr/local/data/openvpn/logs/openvpn-status.log


log-append /usr/local/data/openvpn/logs/openvpn.log


user nobody


group nobody


persist-key


persist-tun


verb3


#user/passauth from mysql


plugin /usr/local/data/openvpn/openvpn-auth-pam.so openvpn


cipher AES-256-CBC


client-cert-not-required


username-as-common-name


script-security2#设置连接和断开脚本以便统计


client-connect /usr/local/data/openvpn/connect.sh


client-disconnect /usr/local/data/openvpn/disconnect.sh


connect.sh 脚本内容


#!/bin/bash


DB='openvpn'


DBADMIN='vpn'


DBPASSWD='vpn@2017_shanghai'


mysql -u$DBADMIN -p$DBPASSWD -h172.16.0.14 -e "INSERT INTO log(username,start_time,trusted_ip,trusted_port,protocol,remote_ip,remote_netmask,status) VALUES('$common_name',now(),'$trusted_ip',$trusted_port,'$proto_1','$ifconfig_pool_remote_ip','$route_netmask_1',1)"$DB


disconnect.sh 脚本内容


#!/bin/bash


DB='openvpn'


DBADMIN='vpn'


DBPASSWD='vpn@2017_shanghai'


mysql -u$DBADMIN -p$DBPASSWD -h172.16.0.14 -e "UPDATE log SETend_time=now(),bytes_received=$bytes_received,bytes_sent=$bytes_sent,status=0WHEREtrusted_ip='$trusted_ip'ANDtrusted_port=$trusted_portANDremote_ip='$ifconfig_pool_remote_ip'ANDusername='$common_name 'AND status=1 "$DB


mysql -u$DBADMIN -p$DBPASSWD -h172.16.0.14 -e "UPDATE user SET active=0 WHERE user.username IN (SELECT username FROM (SELECT log.username AS username, quota_bytes FROM user,log WHERElog.username='$common_name'ANDlog.username=user.username AND log.status=0 AND TO_DAYS(NOW())-TO_DAYS(start_time)<=quota_cycleGROUPBYlog.usernameHAVINGSUM(bytes_received)+SUM(bytes_sent)>=quota_bytes) AS u);" $DB


设置转发


开启内核路由转发:


vim/etc/sysctl.conf


net.ipv4.ip_forward = 0改成net.ipv4.ip_forward= 1







请到「今天看啥」查看全文


推荐文章
架构师之路  ·  deepseek开源了FlashMLA,但它究竟是个啥?(终于懂了...)
1 周前
架构师之路  ·  从“配置私藏”到“配置中心”,你到了哪个阶段?(第38讲)
4 天前
架构师之路  ·  疯了!居然有人试图让我搞懂,什么是DeepGEMM(deepseek开源第三弹)
5 天前
架构师之路  ·  deepseek开源第二弹DeepEP,但它究竟是个啥?(终于懂了...)
6 天前
美团技术团队  ·  美团2025年春季校园招聘全球启动
5 天前
环球时报  ·  今天,美国毫不犹豫的给了“美分党”俩大嘴巴
8 年前
李瀛寰  ·  马道杰加盟,联想手机正在打造超强高管团队
8 年前
xmtguancha  ·  传统媒体的“解构”与新媒体的“解读”
7 年前
济宁拉呱  ·  哪庄小媳妇想火,录了个视频!
7 年前
占豪  ·  原创丨特朗普不卖F35、拒与蔡英文通话,空心菜这是被抛弃了?
7 年前
Sov5搜索   ·   小百科   ·   今天看啥   ·   移动版
51好读 - 好文章就要读起来!