kamil.orchia.pl

Poradnik jak skonfigurować OpenVPN'a, aby móc się logować za pomocą nazwy użytkownika i hasła oraz zarządzać nim z poziomu prostego panelu dostępnego po http. Panel jest napisany w PHPie i bazuje na bazie danych MySQL.

Instalujemy OpenVPN, Nginx + PHP:

aptitude install openvpn nginx php-auth php-auth-http php-auth-sasl php-db php-doc php-file php-fpdf php-gettext php-html-template-it php-http php-http-request php-http-upload php-image-text php-log php-mail php-mail-mime php-mail-mimedecode php-mime-type php-net-checkip php-net-ftp php-net-imap php-net-ipv4 php-net-ipv6 php-net-smtp php-net-socket php-net-url php-net-url2 php-pear php-soap php-timer php-xml-parser php5 php5-cgi php5-cli php5-curl php5-fpm php5-gd php5-geoip php5-gmp php5-imagick php5-imap php5-intl php5-mcrypt php5-mysql php5-rrd php5-sasl php5-xcache php5-xsl mysql-server mysql-client

Tworzymy katalog i kopiujemy do niego zawartość archiwum panelu:

mkdir -p /usr/share/nginx/o/
cd /usr/share/nginx/o/
svn export http://svn.code.sf.net/p/openvpn-simple-panel/code/trunk/ ./o
chmod +x ./o/scripts/*
chmod -R o-rwx /usr/share/nginx/o
chown -R www-data:www-data /usr/share/nginx/o

OpenVPN:

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
mkdir /etc/openvpn/server
cp ./keys/{ca.crt,dh1024.pem,server.crt,server.key} /etc/openvpn/server/

Przykładowy plik /etc/openvpn/server/server.ovpn:

local 1.2.2.33
port 12345
proto tcp
dev tap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh1024.pem
server 1.2.3.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
push "route 10.20.0.0 255.255.255.0"
client-to-client
keepalive 10 120
persist-key
persist-tun
status /usr/share/nginx/o/openvpn-status.log
log /etc/openvpn/server/openvpn.log
verb 3
auth SHA1
cipher AES-128-CBC
tls-cipher DHE-RSA-AES128-SHA
client-cert-not-required
username-as-common-name
client-connect /usr/share/nginx/o/scripts/client_connect.sh
client-disconnect /usr/share/nginx/o/scripts/client_disconnect.sh
script-security 2
auth-user-pass-verify /usr/share/nginx/o/scripts/checkpass.sh via-file
up /etc/openvpn/server/up.sh

Przykładowy plik /etc/openvpn/server/openvpn.sh:

#!/bin/bash

pidfile="/etc/openvpn/server/pid"

pid=""

if [ -f $pidfile ];
then
        pid=`cat $pidfile`
fi

start()
{
        if [ "$pid" != "" ];
        then
                if [ "`ps aux | grep $pid | grep -v grep | wc -l`" == "1" ];
                then
                        echo "OpenVPN is already started!"
                else
                        openvpn --cd /etc/openvpn/server/ --config server.ovpn --daemon --writepid $pidfile
                fi
        else
                openvpn --cd /etc/openvpn/server/ --config server.ovpn --daemon --writepid $pidfile
        fi
}

stop()
{
        if [ "$pid" != "" ];
        then
                if [ "`ps aux | grep $pid | grep -v grep | wc -l`" == "1" ];
                then
                        kill $pid
                        echo "" > $pidfile
                fi
         fi
}

restart()
{
        stop
        sleep 5
        start
}

case "$1" in
        'start')
        echo -ne "Starting OpenVPN... "
        start
        echo "OK"
        ;;
        'restart')
        echo -ne "Restarting OpenVPN... "
        stop
        sleep 5
        start
        echo "OK"
        ;;
        'stop')
        echo -ne "Stopping OpenVPN... "
        stop
        echo "OK"
        ;;
        *)
        echo -e "\n Usage: openvpn.sh { start | stop | restart }"
        ;;
esac

Plik /etc/openvpn/server/up.sh:

#!/bin/sh

chmod o+r /usr/share/nginx/o/openvpn-status.log

Nadajemy uprawnienia i uruchamiamy OpenVPN:

chmod 700 /etc/openvpn/server/*.sh
/etc/openvpn/server/openvpn.sh start

Przykładowy plik client.ovpn, który dołączamy z plikiem ca.crt:

client
dev tap
proto tcp
remote 1.2.2.33 12345
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
ns-cert-type server
verb 3
auth-user-pass
auth SHA1
cipher AES-128-CBC
tls-cipher DHE-RSA-AES128-SHA

MySQL:

cd /usr/share/nginx/o/
mysql -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.5.44-0+deb7u1 (Debian)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE USER 'openvpn'@'localhost' IDENTIFIED BY 'tajnepass';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE DATABASE openvpn;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON openvpn.* TO openvpn@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> use openvpn;
Database changed
mysql> source ./initdb.sql;
Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Query OK, 0 rows affected (0.11 sec)

Query OK, 0 rows affected (0.08 sec)

Query OK, 0 rows affected (0.07 sec)

Query OK, 0 rows affected (0.08 sec)

Query OK, 0 rows affected (0.32 sec)
Records: 0  Duplicates: 0  Warnings: 0

Query OK, 0 rows affected (0.22 sec)
Records: 0  Duplicates: 0  Warnings: 0

Query OK, 0 rows affected, 1 warning (0.09 sec)

mysql> \q
Bye

Nginx:

        location /o/ {
                alias /usr/share/nginx/o/public/;
                allow 1.2.3.0/24;
                deny all;
                auth_basic "Restricted!";
                auth_basic_user_file /etc/nginx/htpasswd;
                index index.php;
                #try_files $uri /o/index.php;
                location ~ \.php$ {
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_pass unix:/var/run/php5-fpm.sock;
                        fastcgi_index index.php;
                        include fastcgi_params;
                }
        }

Przy generowaniu htpasswd pomoże nam link: http://kamil.orchia.pl/php/nginx.php

Sekcję allow i deny ustawiamy dopiero po dodaniu pierwszego użytkownika.

Kopiujemy plik /usr/share/nginx/o/config/config.ini.example:

cp /usr/share/nginx/o/config/config.ini.example /usr/share/nginx/o/config/config.ini

Konfiguracja panelu jest odczytywana z pliku: /usr/share/nginx/o/config/config.ini

Uwaga! Pliki /usr/share/nginx/o/scripts/genfw.php oraz /usr/share/nginx/o/scripts/reload.php należy dostosować pod swoją konfigurację.

Crontab:

*/5 * * * * root cd /usr/share/nginx/o/scripts && ./reload.php