openvpn使用ldap做后端连接

软件版本

  • Centos – 7.x
  • easy-rsa-3.0.3-1.el7.noarch
  • openvpn-2.4.7-1.el7.x86_64
  • openvpn-auth-ldap-2.0.3-16.el7.x86_64

安装软件

yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel openvpn easy-rsa openvpn-auth-ldap

配置生成秘钥

cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

配置 Server 端

创建使用的目录

日志存放目录
mkdir -p /var/log/openvpn/ 配置权限
chown openvpn:openvpn /var/log/openvpn

创建Server配置文件

编辑/etc/openvpn/server/service.conf文件,并写入以下内容:
port 1194
#the server port
proto tcp-server
## Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun # TUN/TAP virtual network device
user openvpn
group openvpn
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
#cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
#key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
## Using System user auth.
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
## Using Script Plugins

script-security 3
# client-cert-not-required # Deprecated option
#verify-client-cert
client-cert-not-required
#auth-user-pass-verify
username-as-common-name
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 10.88.1.7"
push "route 10.88.0.0 255.255.0.0"
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
# cipher AES-256-CBC
ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

配置ldap-auth信息

这里有个小坑需要注意一下,默认用户的username都是通过uid来进行索引,但是有些使用cn来作为username的索引,会导致默认配置无法读取用户,如下我们使用cn进行索引,需要更改配置SearchFilter “(cn=%u)”

编辑/etc/openvpn/auth/ldap.conf,如下修改
<LDAP>
# LDAP server URL
URL ldap://10.88.1.7:389

# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=admin,dc=aaa,dc=com

# Bind Password
Password 123456

# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable no

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
BaseDN "ou=users,dc=aaa,dc=com"

# User Search Filter
SearchFilter "(cn=%u)"

# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "dc=example,dc=com"
SearchFilter "()"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>

编辑systemd配置

编辑/usr/lib/systemd/system/openvpn@service,写入以下配置

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
#ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/%i.conf

[Install]
WantedBy=multi-user.target

启动服务

systemctl start openvpn@service

客户端配置

client
dev-type tun
dev tunx
proto tcp
tun-mtu 1400
comp-lzo
remote 1.1.1.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth-user-pass
script-security 2

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

# redirect-gateway def1 bypass-dns # uncomment to set as default gateway
# route-nopull # uncomment to disable server route push
#

此条目发表在openldap分类目录。将固定链接加入收藏夹。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注