Let me share my project's setup, what I decided to cancel due to low interest from my old clients.
How does it works?
- Clients will be authenicated via username/password, what are actually stored in Wordpress.
- We add 2 fields to "wp_users" table to enable vpncredit system. Meaning every client will have a field what contain a number. This number is decreased by one in every minute, using crontab. Let's call this vpncredits.
- We will use a command line php script, to check the OpenVPN Username/Password with the corresponding fields in the Wordpress database.
- There is a bash script what helps to solve this. (you can rewrite this to only PHP if you wish)
- We will set up crontab to decrease vpncredits in every minute
- This setup is based on TCP connection. But you can reconfigure it to UDP if needed. I set it up as TCP for Proxy capabilities.
- Plus a few tips and files at the end.
topic3158.html?hilit=wordpress
Changelog:
- Using latest Wordpress
- Wordpress password hash is not modified like it was before (to MD5). So it's more secure now.
- Only two colums had to be added to "wp_users" table, to enable "credit system"
- Easier to understand and set up
- More places where monitoring and logging can be set up
- Comments and this step-by-step howto
- Install and set up Wordpress:
- apt-get install apache2 php5 mysql-server phpmyadmin
- extract latest wordpress to your www dir
- Set up wordpress (it is quite easy): http://codex.wordpress.org/Installing_WordPress
- Install OpenVPN + creating Certs:
- apt-get install openvpn
- cd /etc/openvpn
- cp -ra /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
- cd easy-rsa
- <EDIT "vars" FILE>
- ln -s openssl-1.0.0.cnf openssl.cnf
- source ./vars
- ./clean-all
- ./build-ca
- ./build-key-server vpnserver
- ./build-key vpnclient
- ./build-dh dh2048.pem # 2048 if you set this up in "vars"
- cd /etc/openvpn
- mkdir {vpnserver,vpnclient}
- cp easy-rsa/keys/ca.crt easy-rsa/keys/vpnserver.key easy-rsa/keys/vpnserver.crt easy-rsa/keys/dh2048.pem vpnserver
- cp easy-rsa/keys/ca.crt easy-rsa/keys/vpnclient.crt easy-rsa/keys/vpnclient.key vpnclient/
- That's how it should look like for now:
Code: Select all
root@skyvpn:/etc/openvpn# tree vpnserver/ vpnclient/ vpnserver/ ├── ca.crt ├── dh2048.pem ├── vpnserver.crt └── vpnserver.key vpnclient/ ├── ca.crt ├── vpnclient.crt └── vpnclient.key - Copy "vpnserver.conf" to "/etc/openvpn/vpnserver/vpnserver.conf"
Code: Select all
mode server tls-server port 443 # local x.x.x.x # We can bind to a specific address proto tcp dev tun topology subnet ca /etc/openvpn/vpnserver/ca.crt cert /etc/openvpn/vpnserver/vpnserver.crt key /etc/openvpn/vpnserver/vpnserver.key dh /etc/openvpn/vpnserver/dh1024.pem script-security 2 username-as-common-name auth-user-pass-verify "/etc/openvpn/vpnserver/vpnauth-helper.sh" via-file tmp-dir "/etc/openvpn/vpnserver/" up "/etc/openvpn/vpnserver/firewall-nat.sh up" down "/etc/openvpn/vpnserver/firewall-nat.sh down" server 10.90.0.0 255.255.255.0 push "redirect-gateway def1" # Redirecting all traffic to VPN push "dhcp-option DNS 8.8.8.8" # push "dhcp-option DOMAIN mydomain.ltd" #push "shaper 1310720" #shaper 1310720 #port-share x.x.x.x 3128 # Port share for 443 HTTPS data inactive 600 tcp-nodelay keepalive 10 120 comp-lzo persist-key persist-tun status /etc/openvpn/vpnserver/onlineusers.log 5 status-version 1 ifconfig-pool-persist /etc/openvpn/vpnserver/fixip.txt 0 #management 127.0.0.1 1195 /etc/openvpn/vpnserver/telnet.passwd verb 3 mute 10 reneg-sec 1800 - Copy "vpnclient.ovpn" to "/etc/openvpn/vpnclient/vpnclient.ovpn"
- Generate a badass ASCI Art text : http://patorjk.com/software/taag/#p=dis ... ig&t=MyVPN
Code: Select all
###################################### # __ __ __ _______ _ _ # # | \/ | \ \ / / __ \| \ | | # # | \ / |_ \ \ / /| |__) | \| | # # | |\/| | | | \ \/ / | ___/| . ` | # # | | | | |_| |\ / | | | |\ | # # |_| |_|\__, | \/ |_| |_| \_| # # __/ | # # |___/ # ###################################### #### Proxy #### # http-proxy 111.111.111.111 3128 # http-proxy-retry # http-proxy-option AGENT Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) # # If you would like to use autologin # comment out "auth-user-pass" and # uncomment "auth-user-pass autologin.txt". # Then fill "autologin.txt" with your credentials. # See example in "autologin.txt" # auth-user-pass #### AUTO LOGIN #### # auth-user-pass autologin.txt ################################# ## DO NOT MODIFY THESE OPTIONS ## ################################# remote vpnserver1.mydomain.ltd 443 #remote vpnserver2.mydomain.ltd 443 #remote vpnserver2.mydomain.ltd 443 #remote-random client dev tun proto tcp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert vpnclient.crt key vpnclient.key comp-lzo no verb 1 mute 5 ns-cert-type server mute-replay-warnings script-security 2 ################################# #################################
- Modify Wordpress "wp_users" table to enable credit system (vpncredits).
- Use phpMyAdmin or CLI and run this query:
Code: Select all
ALTER TABLE `wp_users` ADD `vpn_credit` INT NOT NULL DEFAULT '0', ADD `vpn_enabled` BOOLEAN NOT NULL DEFAULT '1'
- Use phpMyAdmin or CLI and run this query:
- Copy "vpnauth-helper.sh" to "/etc/openvpn/vpnserver/vpnauth-helper.sh"
Code: Select all
#!/bin/bash # # vpnauth.php helper bash script. -- Dorian Ocsovszki (2013-05-27) # # # It reads openvpn tempfile for username and password # and sends it to php script. This script can send back 3 results: # # "xOKx" or "xWRONGUSERx" or "xWRONGPASSx" # # "xOKx" tells OpenVPN that the user can proceed with the connection, # while the other results will disconnect the user # # Keep this "vpnauth-helper.sh" and "vpnauth.php" in one directory! # ################# ### Variables ### ################# TMPFILE="${1}" # OpenVPN temp file WPPATH="/var/www-sites/skyvpn" # Use full path here, _without_ last slash "/" ################# # Get basedir for "vpnauth.php" BASEDIR=$(dirname $0) VPNUSER="`head -n1 ${TMPFILE} | tail -n1`" # first line VPNPASS="`head -n2 ${TMPFILE} | tail -n1`" # second line # Getting results from PHP script RESULT="`php5 ${BASEDIR}/vpnauth.php "${WPPATH}" "${VPNUSER}" "${VPNPASS}"`" #echo "$RESULT" # Decision and Logging/Monitoring if [ "${RESULT}" == "xOKx" ]; then # logging or monitoring here? # Connect exit 0 fi if [ "${RESULT}" == "xWRONGUSERx" ]; then # logging or monitoring here? # Disconnect exit 1 fi if [ "${RESULT}" == "xWRONGPASSx" ]; then # logging or monitoring here? # Disconnect exit 1 fi # No usable ${RESULT}? # Probably an error, let's disconnect # logging or monitoring here? exit 1 - Copy "vpnauth.php" to "/etc/openvpn/vpnserver/vpnauth.php" (The Magic!)
Code: Select all
<?php //================================================================== // OpenVPN username, password and vpn-credit based authentication // Dorian Ocsovszki (2013-05-27) //================================================================== // // VPN Credits are minutes. // A script decreases "vpn_credit" by 1, if "vpn_enabled" is TRUE // // // This is how it works: // // IF ( (user exists == true) AND (vpn_enabled == true) AND (vpn_credit > 0) ) THEN // Connecting to VPN is authorized // ELSE // Connection to VPN is not authorized // // // Extend "wp_users" table to use "VPN Capabilities" // // ALTER TABLE `wp_users` ADD `vpn_credit` INT NOT NULL DEFAULT '0', ADD `vpn_enabled` BOOLEAN NOT NULL DEFAULT '1' // //================================================================== //set_time_limit( 0 ); //ini_set( "memory_limit", "64M" ); $_SERVER['HTTP_HOST'] = 'wp_'; // apache and table prefix: "wp_" is the default ob_start(); // Getting variables arguments $wordpressdir = $argv[1]; $openvpn_user = $argv[2]; $openvpn_pass = $argv[3]; require_once( $wordpressdir . '/wp-load.php' ); // you need to adjust this to your path //require_once( '/var/www/mysite/wp-load.php' ); // you need to adjust this to your path // If the query returns username, this user can connect to VPN AFTER PASSWORD CHECK. That's next. $userresult = $wpdb->get_var( "SELECT user_login FROM wp_users WHERE ( (vpn_credit > 0) AND (vpn_enabled = 1) AND (user_login = '$openvpn_user') );" ); // If not empty if ($userresult) { $user = get_user_by('login', "$userresult"); if ( wp_check_password( "$openvpn_pass", $user->data->user_pass, $user->ID) ) // Password match echo "xOKx"; else // Wrong password echo "xWRONGPASSx"; } else { // Woops. User not found echo "xWRONGUSERx"; } ?> - Modify permissions:
- chmod +x /etc/openvpn/vpnserver/vpnauth-helper.sh /etc/openvpn/vpnserver/vpnauth.php
- Copy "vpn-credit-update.sh" to "/etc/openvpn/vpnserver/vpn-credit-update.sh"
Code: Select all
#!/bin/bash # # Decreasing "vpn_credit" field value by one every minute using crontab # DBUSER='mywordpressuser' DBPASS='mywordpressuserpassword' DBHOST='localhost' DBNAME='mywordpressdb' mysql -u $DBUSER -p$DBPASS -h $DBHOST -e "UPDATE wp_users SET vpn_credit = vpn_credit - 1 WHERE ( vpn_credit > 0 ) AND ( vpn_enabled = '1' )" $DBNAME- Adjust permissions: (We store db password here!)
- chmod 700 /etc/openvpn/vpnserver/vpn-credit-update.sh
- Set up a cronjob to run "vpn-credit-update.sh"
- crontab -e
Code: Select all
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin # Decreasing credits every minute * * * * * /etc/openvpn/skyvpnserver/vpn-credit-update.sh &> /dev/null
- Copy "firewall-nat.sh" to "/etc/openvpn/vpnserver/firewall-nat.sh"
Code: Select all
#!/bin/bash TODO="${1}" if [ "${TODO}x" == "upx" ]; then echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.90.0.0/24 -o eth0 -j MASQUERADE fi if [ "${TODO}x" == "downx" ]; then iptables -t nat -D POSTROUTING -s 10.90.0.0/24 -o eth0 -j MASQUERADE fi- Adjust permissions:
- chmod 764 /etc/openvpn/vpnserver/firewall-nat.sh
- That's how it should look like now:
Code: Select all
root@skyvpn:/etc/openvpn# tree vpnserver/ vpnclient/ vpnserver/ ├── ca.crt ├── dh1024.pem ├── firewall-nat.sh ├── onlineusers.log ├── skyvpnserver.conf ├── skyvpnserver.crt ├── skyvpnserver.key ├── vpnauth-helper.sh ├── vpnauth.php └── vpn-credit-update.sh vpnclient/ ├── ca.crt ├── vpnclient.crt ├── vpnclient.key └── vpnclient.ovpn
- Update "wp_users" table, add vpncredits to users
- Try to connect. Be aware that you use good connection informations in client config.
- Enjoy
Few ideas:
- Paypal integration.
- Auto update clien's vpncredit if paypal transaction is successful.
- https://www.google.hu/#gs_rn=15&gs_ri=p ... 24&bih=600
- Free SMS reminders and "purchase diary" using Google Calendar:
- More or less accurate.
- https://www.google.hu/#gs_rn=15&gs_ri=p ... 24&bih=600
- Jabber/XMPP messages using Python XMPP protocol?
- Use Zabbix monitoring?
#
# My Blog: http://ocsovszki-dorian.blogspot.co.uk/
#