软件版本

• Centos – 7.x
• easy-rsa-3.0.3-1.el7.noarch
• openvpn-2.4.7-1.el7.x86_64
• openvpn-auth-ldap-2.0.3-16.el7.x86_64

安装软件

yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel openvpn easy-rsa openvpn-auth-ldap

配置生成秘钥

cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

配置 Server 端

创建使用的目录

日志存放目录
mkdir -p /var/log/openvpn/


配置权限
chown openvpn:openvpn /var/log/openvpn

创建Server配置文件

编辑/etc/openvpn/server/service.conf文件，并写入以下内容：
port 1194
#the server port
proto tcp-server
## Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun # TUN/TAP virtual network device
user openvpn
group openvpn
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
#cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
#key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
## Using System user auth.
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
## Using Script Plugins

script-security 3
# client-cert-not-required # Deprecated option
#verify-client-cert
client-cert-not-required
#auth-user-pass-verify
username-as-common-name
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 10.88.1.7"
push "route 10.88.0.0 255.255.0.0"
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
# cipher AES-256-CBC
ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

配置ldap-auth信息

这里有个小坑需要注意一下，默认用户的username都是通过uid来进行索引，但是有些使用cn来作为username的索引，会导致默认配置无法读取用户，如下我们使用cn进行索引，需要更改配置SearchFilter “(cn=%u)”

编辑/etc/openvpn/auth/ldap.conf，如下修改
<LDAP>
    # LDAP server URL
    URL             ldap://10.88.1.7:389

    # Bind DN (If your LDAP server doesn't support anonymous binds)
    BindDN          cn=admin,dc=aaa,dc=com

    # Bind Password
    Password        123456

    # Network timeout (in seconds)
    Timeout         15

    # Enable Start TLS
    TLSEnable       no

    # Follow LDAP Referrals (anonymously)
    FollowReferrals yes

    # TLS CA Certificate File
    TLSCACertFile   /usr/local/etc/ssl/ca.pem

    # TLS CA Certificate Directory
    TLSCACertDir    /etc/ssl/certs

    # Client Certificate and key
    # If TLS client authentication is required
    TLSCertFile     /usr/local/etc/ssl/client-cert.pem
    TLSKeyFile      /usr/local/etc/ssl/client-key.pem

    # Cipher Suite
    # The defaults are usually fine here
    # TLSCipherSuite        ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
    # Base DN
    BaseDN          "ou=users,dc=aaa,dc=com"

    # User Search Filter
    SearchFilter    "(cn=%u)"

    # Require Group Membership
    RequireGroup    false

    # Add non-group members to a PF table (disabled)
    #PFTable        ips_vpn_users

    <Group>
            BaseDN          "dc=example,dc=com"
            SearchFilter    "()"
            MemberAttribute uniqueMember
            # Add group members to a PF table (disabled)
            #PFTable        ips_vpn_eng
    </Group>
</Authorization>

编辑systemd配置

编辑/usr/lib/systemd/system/openvpn@service，写入以下配置

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
#ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/%i.conf

[Install]
WantedBy=multi-user.target

启动服务

systemctl start openvpn@service

客户端配置

client
dev-type tun
dev tunx
proto tcp
tun-mtu 1400
comp-lzo
remote 1.1.1.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth-user-pass
script-security 2

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

# redirect-gateway def1 bypass-dns # uncomment to set as default gateway
# route-nopull # uncomment to disable server route push
#