4.2 Creating the tar file for the phone (client)
The phone as an OpenVPN client needs at least ca.crt, client.crt, client.key, client.ovpn, and these files should be packaged in tar format.
Code Block |
---|
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/client/ |
Now the files in /etc/openvpn/client should be:
Anchor |
---|
| 4-openvpn-client-file |
---|
| 4-openvpn-client-file |
---|
|
Code Block |
---|
[root@localhost client]# tar -cvpf openvpn.tar *
ca.crt
client.crt
client.key
client.ovpn |
Now you get the openvpn.tar file, then you should put it into a folder that you could import the file into the phone.
4.3 Import tar file into Htek phone
Import openvpn.tar file into the phone.
Choose Yes and then click the SaveSet button on the bottom of the webpage, the phone will reboot to apply the new configuration.
Upon the phone boot up, you can check the VPN address.
LCD GUI: Menu -> Status -> Network -> 5.VPN
5 Option: Authenticate with Username/Password
If you want to use username/password along with the certificate to verify the client, you could do as follows.
5.1 Prepare a script to check username/password
Code Block |
---|
[root@localhost openvpn]# vim /etc/openvpn/checkpsw.sh |
The content is:
Code Block |
---|
|
#!/bin/bash
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/auth_file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
|
After you have done this, exit and give the executable permissions to it by
Code Block |
---|
[root@localhost openvpn]# chmod +x checkpsw.sh |
5.2 Create username/password record file
In the file - checkpsw.sh - we have defined a PASSFILE
, that is used to store username and password pairs.
Code Block |
---|
[root@localhost openvpn]# vim /etc/openvpn/auth_file |
In this file, we record the username and password line by line like following
Code Block |
---|
htek 123456
client 456789 |
5.3 Modify server.conf
Code Block |
---|
[root@localhost openvpn]# vim /etc/openvpn/server.conf |
Add these three lines:
Code Block |
---|
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
script-security 3 |
So the server.conf now looks like this:
Code Block |
---|
port 1194
proto udp
dev tun
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
script-security 3
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.252.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.0.230"
push "dhcp-option DNS 114.114.114.114"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
explicit-exit-notify 1 |
Info |
---|
After you have done this, you should restart openvpn server to make it effective. |
Code Block |
---|
[root@localhost openvpn]# systemctl restart openvpn@server |
5.4 Modify the client.conf
Add this line to the client.conf
Code Block |
---|
auth-user-pass /hlfs/vpn/auth.txt |
And now the whole file is like this:
Code Block |
---|
client
dev tun
proto udp
remote 223.68.137.166 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass /hlfs/vpn/auth.txt
ca /hlfs/vpn/ca.crt
cert /hlfs/vpn/client.crt
key /hlfs/vpn/client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo
mute 20 |
5.5 Create a username/password file for client
Code Block |
---|
[root@localhost client]# vim auth.txt |
And then add the username and password equals to the record in /etc/openvpn/auth_file, such as:
5.6 Creating the tar file for the phone (client)
In the previous steps, we have prepared some files for the phone.
Now there is a new file, so in /etc/openvpn/client :
Code Block |
---|
[root@localhost client]# tar -cvpf openvpn.tar *
auth.txt
ca.crt
client.crt
client.key
client.ovpn |
Now, put the new openvpn.tar file into a folder and import it into the phone.
5.7 If you don’t want to verify by a certificate
In the server.conf, add this line
Code Block |
---|
|
client-cert-not-required |
So the whole server.conf will be
Code Block |
---|
port 1194
proto udp
dev tun
client-cert-not-required
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
script-security 3
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.252.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.0.230"
push "dhcp-option DNS 114.114.114.114"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
explicit-exit-notify 1 |
In the client.conf, comment out these two lines
Code Block |
---|
;cert /hlfs/vpn/client.crt
;key /hlfs/vpn/client.key |
So the whole client.conf will be
Code Block |
---|
client
dev tun
proto udp
remote 223.68.137.166 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass /hlfs/vpn/auth.txt
ca /hlfs/vpn/ca.crt
;cert /hlfs/vpn/client.crt
;key /hlfs/vpn/client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo
mute 20 |
6 Option: Use one file - client.ovpn
In some purpose, you may would like to contain all the files to one, that is possible.
Let’s continue with the above example in section 4. We now have at least 4 files, they are
Code Block |
---|
|
client.ovpn
ca.crt
client.crt
client.key |
We could attach ca.crt
, client.crt
and clinet.key
into the corresponding angle brackets in client.ovpn
to merge them into one file.
Below is an completly example.
Code Block |
---|
client
dev tun
proto udp
remote 223.68.137.166 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo
mute 20
<ca>
-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIJAKV150fiYst9MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNV
BAMMBEh0ZWswHhcNMjEwMjI3MDkwODMwWhcNNDAwNDI4MDkwODMwWjAPMQ0wCwYD
VQQDDARIdGVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2R9KlUaT
wN2b6Y8L1bRqgKdHCj/vSFG6teETMtc2GQlLKZxnwlVxHXv82zNhs8e2YeroOU5w
YJU4fR6RJHz+xAntCiIGhrwGUTNyNOJXNeg8/gLemeG5L0LchzIToNWJjkgvzEpf
zZfAJ1Dk4Jqx4vnGc3CENfZYjDvQCVIMdgElbp/I+3eO81TK7V0B9UGAdq4V3beK
71uluMlvBvOLldQwO//H87zs9p6sD55jRrdey+i/VHOdrOqLo0Lee8ggbtjI1FEY
OpyghWoyilSyXF4xKTLOFGWW339V/G+xOcruoNzzavn1f//TNF9KLht40VwmcGZt
eU8ZgozxIoANfwIDAQABo30wezAdBgNVHQ4EFgQUMp7Ugzrxljpt05h5hALXekSg
BZUwPwYDVR0jBDgwNoAUMp7Ugzrxljpt05h5hALXekSgBZWhE6QRMA8xDTALBgNV
BAMMBEh0ZWuCCQCldedH4mLLfTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAjQ/Kyqe4WnbtmWy+/ibbrTff8+v9QRxqDRPSPmmX
iK0A/ESp+jeUqXDNX8NO14LUU2Uciz7dTtvKABsbpHK2Jtebzw4RIEHIHmpQSErg
pFUTzm7yama3SH4EWFR1QLcYitiTirTFl4H26/GCYZUtFYJKHH74JRgUjYtkfN2t
fWkgiVrtcYct/s2yPHXToh2AiiKqbGjx8iL0Of60lf7/fcuNqUs1TVvaQcKh6oOH
jCE4Z5JLF6l9ytDtyl9WyiuWhgZYyElpEmoEMHeGZdqYapDPhiOOSnm1I+wx17Pt
tawGNHIa9f7Yc/9GXj3gtMrb/b0KaJLPdnVrmfbDl6hx7Q==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:81:36:da:37:04:09:ac:2a:9a:07:a2:d0:a6:19:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Htek
Validity
Not Before: Feb 27 09:09:46 2021 GMT
Not After : Feb 25 09:09:46 2031 GMT
Subject: CN=htekclient
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:3a:a5:7a:df:e9:52:fa:ea:b3:ab:60:55:16:
0a:f0:f3:f7:eb:6c:e1:83:a4:13:6e:54:df:be:b7:
42:df:b0:e0:bd:3d:3f:13:64:ab:1f:e3:bb:e5:81:
19:eb:4b:be:36:d7:b8:3e:5c:34:fb:97:18:2e:c3:
e0:2c:42:0e:76:aa:f8:9c:5a:83:8f:8d:06:80:2e:
03:41:d3:f5:60:99:ea:9a:68:24:45:f3:97:ea:63:
96:00:de:18:8c:7e:05:8f:30:0a:40:61:46:81:08:
08:30:5c:d8:e8:00:7d:ff:1f:a6:1c:b7:13:5f:fd:
87:aa:39:c8:7e:76:74:13:3d:ca:45:f2:c4:26:a3:
3c:e4:f4:03:18:48:41:af:cd:c9:f0:21:7e:2c:1a:
57:43:5b:19:5c:80:91:d0:e1:c2:8f:f9:93:30:9e:
43:73:5f:a0:3c:43:52:59:61:b1:3f:4a:76:ac:26:
1e:34:64:b6:cd:07:74:5a:5e:0c:22:86:a6:48:63:
d9:c9:9c:75:38:16:fe:c6:66:ad:08:46:5d:1b:6c:
09:42:90:01:d7:4b:06:fd:0e:a7:e9:45:13:f7:a8:
c9:32:80:84:db:68:4a:51:33:48:19:f1:a2:af:ae:
94:c0:4c:92:db:f1:13:e2:47:4c:9f:b8:6d:49:19:
1a:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
EC:B1:C9:8B:74:67:4F:2E:25:A5:94:A6:99:51:33:C4:FE:7F:BD:BE
X509v3 Authority Key Identifier:
keyid:32:9E:D4:83:3A:F1:96:3A:6D:D3:98:79:84:02:D7:7A:44:A0:05:95
DirName:/CN=Htek
serial:A5:75:E7:47:E2:62:CB:7D
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
7a:8d:2c:67:0e:21:01:c6:42:ef:5b:d1:87:77:20:69:b4:e5:
a8:7a:60:24:ee:67:d7:32:8b:22:5b:3f:f2:e0:d8:33:bf:a2:
d8:f6:53:7e:8f:1c:2a:87:e6:ec:a6:94:79:81:2d:f2:31:3a:
88:54:a4:81:f4:de:85:f8:dd:8e:27:9b:75:0f:67:68:ff:2b:
b3:76:65:3d:0f:5a:81:04:78:d3:26:84:1a:70:cb:a4:bb:30:
63:19:5b:a5:36:3b:d3:6f:0d:e2:9d:49:32:2a:8b:46:20:fc:
e7:60:9c:7a:f5:45:5f:27:80:51:93:49:a3:44:56:f8:dc:8e:
f7:34:6b:35:5a:48:3e:ff:3c:79:d3:ce:99:6a:2e:cd:4a:aa:
10:48:d8:f7:0c:f6:d0:cd:1d:43:86:20:7c:85:21:24:7d:44:
28:fa:cf:c2:2a:64:30:28:87:85:dc:cc:6f:1f:56:fc:cd:e6:
a7:81:99:ed:32:20:43:39:10:45:15:bb:24:47:a5:a5:7d:e6:
40:ba:46:bb:67:e5:d2:4c:d8:83:6d:cf:64:4a:65:ac:8f:c2:
0a:ec:20:4c:42:66:b5:42:1c:e9:fa:67:58:e3:87:6f:bd:98:
7c:98:99:91:39:fc:be:4b:ec:7b:5b:39:e8:ec:d0:a7:eb:2c:
d5:78:ad:75
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIQfIE22jcECawqmgei0KYZvjANBgkqhkiG9w0BAQsFADAP
MQ0wCwYDVQQDDARIdGVrMB4XDTIxMDIyNzA5MDk0NloXDTMxMDIyNTA5MDk0Nlow
FTETMBEGA1UEAwwKaHRla2NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMk6pXrf6VL66rOrYFUWCvDz9+ts4YOkE25U3763Qt+w4L09PxNkqx/j
u+WBGetLvjbXuD5cNPuXGC7D4CxCDnaq+Jxag4+NBoAuA0HT9WCZ6ppoJEXzl+pj
lgDeGIx+BY8wCkBhRoEICDBc2OgAff8fphy3E1/9h6o5yH52dBM9ykXyxCajPOT0
AxhIQa/NyfAhfiwaV0NbGVyAkdDhwo/5kzCeQ3NfoDxDUllhsT9KdqwmHjRkts0H
dFpeDCKGpkhj2cmcdTgW/sZmrQhGXRtsCUKQAddLBv0Op+lFE/eoyTKAhNtoSlEz
SBnxoq+ulMBMktvxE+JHTJ+4bUkZGvsCAwEAAaOBkDCBjTAJBgNVHRMEAjAAMB0G
A1UdDgQWBBTsscmLdGdPLiWllKaZUTPE/n+9vjA/BgNVHSMEODA2gBQyntSDOvGW
Om3TmHmEAtd6RKAFlaETpBEwDzENMAsGA1UEAwwESHRla4IJAKV150fiYst9MBMG
A1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOC
AQEAeo0sZw4hAcZC71vRh3cgabTlqHpgJO5n1zKLIls/8uDYM7+i2PZTfo8cKofm
7KaUeYEt8jE6iFSkgfTehfjdjiebdQ9naP8rs3ZlPQ9agQR40yaEGnDLpLswYxlb
pTY7028N4p1JMiqLRiD852CcevVFXyeAUZNJo0RW+NyO9zRrNVpIPv88edPOmWou
zUqqEEjY9wz20M0dQ4YgfIUhJH1EKPrPwipkMCiHhdzMbx9W/M3mp4GZ7TIgQzkQ
RRW7JEelpX3mQLpGu2fl0kzYg23PZEplrI/CCuwgTEJmtUIc6fpnWOOHb72YfJiZ
kTn8vkvse1s56OzQp+ss1XitdQ==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJOqV63+lS+uqz
q2BVFgrw8/frbOGDpBNuVN++t0LfsOC9PT8TZKsf47vlgRnrS74217g+XDT7lxgu
w+AsQg52qvicWoOPjQaALgNB0/VgmeqaaCRF85fqY5YA3hiMfgWPMApAYUaBCAgw
XNjoAH3/H6YctxNf/YeqOch+dnQTPcpF8sQmozzk9AMYSEGvzcnwIX4sGldDWxlc
gJHQ4cKP+ZMwnkNzX6A8Q1JZYbE/SnasJh40ZLbNB3RaXgwihqZIY9nJnHU4Fv7G
Zq0IRl0bbAlCkAHXSwb9DqfpRRP3qMkygITbaEpRM0gZ8aKvrpTATJLb8RPiR0yf
uG1JGRr7AgMBAAECggEBAL4MrY1HPE4qvM/D4894agz33gZzZum1ZMSnVEoDOx2Z
KCiSV6gxQ41ywFsZeylG9/dD9bavzzpukWBZjrc+C/r3rqW8ttQ1FRaqXlklnnIF
7BS4lsmaLrgoJdvb5sOJoiaB8KytMrFarKFAj3tOO7FgarpkDeByylZzDHCj3yzr
WQ10mblopXU7Ux1N2fyW496H8DkCkLKsvLqthR6h3sW31cH9GgoEDHPSIC/OIwWB
oH6j7/FQVOQeguuIaYsfFIhgr5Uyd/yQrWXMkbfXBr/Pzw6XyAdfrFFmYqa50x3Q
VyPEjhX5om0Cm5aji5hOViFhrDRZ8eZdv884tBdw98ECgYEA8v+WwW4s04xupdsf
PdpzyV0SQ3/LtRlZAwFMqiCyfYt80raIgWUEvUoFzD6CgSmHbXpqfD8yDTyU1di9
f0maN7p+FW1XPIdYyIbYyFvZ+tBTsc2RxCRuUYG0AGcDXwyxLMl0DDddstmGtrVn
FcUA2RRusYxESOfOM9XWu4GLgd8CgYEA0/7uwhu/xZH1Q/2HSPGSYcOM5tMkAmUM
HYnp0oco9egJoAsYyRMHPzqCh0FLLLHqt2Z03SFNgQNp41IIfa21V5f3u92aGmtJ
/+Qw2juO1Yr13m239+MSfo0+UH/8+c7chlLl0SxUvVvLGv/kTu1qvKHPERke8/CU
zIAxbBiY4mUCgYAvWUIk2rT9W6XLx5Ck2sYo/Gusn2AwH4pKnZw0oj5lXCKsZEjg
/bAYui27CIshY9gxquLI5v93uNA/gwYZoVvddAdRYYbYEn9oQ25GTC+DQcitIqM+
luKwGxfZ5Dix8qUrVu2326n0SZKIU3yMr2Bk7ChNjElZ82EolIhM7Qcj/QKBgE+i
5bf/SpQCV3taAvcQ4GdfWU/goxdPNDToePDAG0/9AZigcogeYMuMxDng+kdo8n5A
u8fR2daMHLvrNgtYNNYZ3VMyVNB120+IPh3M38QyNlh/KOuy3mCx2GXPHo4M+mRv
QavJFnAnym1zESXhJAaGVk3a/PiwOIV15prvxobNAoGBAJnomqvnSs9jCKznUJTT
WyH/HDeBW0dSiu6j8sUqT8aBgoMgv3E/tp4Oi/w9a6JPDOgxEI1tcGQDWUTOb7M4
M0jTWOz6QCMV5qOwbiwk0UV6A2BokCZuH5k4p2ZZzhtjOD4caZ3sN6lJpsa3vfBa
dxclHQ+uusQgrAXxPo6bBwPq
-----END PRIVATE KEY-----
</key> |
All done, now you could just import this client.ovpn
file into the phone, no need to pack the files to a .tar file.
Please note that if you use password authentication at the same time, the authenticate information file, e.g., auth.txt
cannot be attached to the client.ovpn
.
You still need to use a line in client.ovpn
to point to its path auth-user-pass /hlfs/vpn/auth.txt.
And you still need to pack the client.ovpn
and auth.txt
to a .tar file.