{"id":432,"date":"2019-07-22T00:07:27","date_gmt":"2019-07-21T16:07:27","guid":{"rendered":"https:\/\/blog.espnlol.com\/?p=432"},"modified":"2022-04-20T18:27:52","modified_gmt":"2022-04-20T10:27:52","slug":"openvpn%e4%bd%bf%e7%94%a8ldap%e5%81%9a%e5%90%8e%e7%ab%af%e8%bf%9e%e6%8e%a5","status":"publish","type":"post","link":"https:\/\/blog.espnlol.com\/?p=432","title":{"rendered":"openvpn\u4f7f\u7528ldap\u505a\u540e\u7aef\u8fde\u63a5"},"content":{"rendered":"<h1>\u8f6f\u4ef6\u7248\u672c<\/h1>\n<ul>\n<li>Centos &#8211; 7.x<\/li>\n<li>easy-rsa-3.0.3-1.el7.noarch<\/li>\n<li>openvpn-2.4.7-1.el7.x86_64<\/li>\n<li>openvpn-auth-ldap-2.0.3-16.el7.x86_64<\/li>\n<\/ul>\n<h1>\u5b89\u88c5\u8f6f\u4ef6<\/h1>\n<pre class=\"\">yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel openvpn easy-rsa openvpn-auth-ldap<\/pre>\n<h1>\u914d\u7f6e\u751f\u6210\u79d8\u94a5<\/h1>\n<pre class=\"\">cp -rf \/usr\/share\/easy-rsa\/3.0.3 \/etc\/openvpn\/server\/easy-rsa<br \/>cd \/etc\/openvpn\/server\/easy-rsa<br \/>.\/easyrsa init-pki<br \/>.\/easyrsa build-ca nopass<br \/>.\/easyrsa build-server-full server nopass<br \/>.\/easyrsa build-client-full client1 nopass<br \/>.\/easyrsa build-client-full client2 nopass<br \/>.\/easyrsa gen-dh<br \/>openvpn --genkey --secret ta.key<\/pre>\n<h1>\u914d\u7f6e Server \u7aef<\/h1>\n<h2><a id=\"toc-0b1\" class=\"anchor\" href=\"https:\/\/www.fandenggui.com\/post\/centos7-install-openvpn.html#toc-0b1\"><\/a>\u521b\u5efa\u4f7f\u7528\u7684\u76ee\u5f55<\/h2>\n<pre class=\"\">\u65e5\u5fd7\u5b58\u653e\u76ee\u5f55<br \/>mkdir -p \/var\/log\/openvpn\/\n\n\n\u914d\u7f6e\u6743\u9650<br \/>chown openvpn:openvpn \/var\/log\/openvpn<\/pre>\n<h2>\u521b\u5efaServer\u914d\u7f6e\u6587\u4ef6<\/h2>\n<pre class=\"\">\u7f16\u8f91\/etc\/openvpn\/server\/service.conf\u6587\u4ef6\uff0c\u5e76\u5199\u5165\u4ee5\u4e0b\u5185\u5bb9\uff1a\nport 1194\n#the server port<br \/>proto tcp-server<br \/>## Enable the management interface<br \/># management-client-auth<br \/># management localhost 7505 \/etc\/openvpn\/user\/management-file<br \/>dev tun # TUN\/TAP virtual network device<br \/>user openvpn<br \/>group openvpn<br \/>ca \/etc\/openvpn\/server\/easy-rsa\/pki\/ca.crt<br \/>#cert \/etc\/openvpn\/server\/easy-rsa\/pki\/issued\/server.crt<br \/>#key \/etc\/openvpn\/server\/easy-rsa\/pki\/private\/server.key<br \/>dh \/etc\/openvpn\/server\/easy-rsa\/pki\/dh.pem<br \/>## Using System user auth.<br \/>plugin \/usr\/lib64\/openvpn\/plugin\/lib\/openvpn-auth-ldap.so \"\/etc\/openvpn\/auth\/ldap.conf\"<br \/>## Using Script Plugins<br \/><br \/>script-security 3<br \/># client-cert-not-required # Deprecated option<br \/>#verify-client-cert<br \/>client-cert-not-required<br \/>#auth-user-pass-verify<br \/>username-as-common-name<br \/>## Connecting clients to be able to reach each other over the VPN.<br \/>client-to-client<br \/>## Allow multiple clients with the same common name to concurrently connect.<br \/>duplicate-cn<br \/># client-config-dir \/etc\/openvpn\/server\/ccd<br \/># ifconfig-pool-persist ipp.txt<br \/>server 10.8.0.0 255.255.255.0<br \/>push \"dhcp-option DNS 10.88.1.7\"<br \/>push \"route 10.88.0.0 255.255.0.0\"<br \/># comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.<br \/>compress lzo<br \/># cipher AES-256-CBC<br \/>ncp-ciphers \"AES-256-GCM:AES-128-GCM\"<br \/>## In UDP client mode or point-to-point mode, send server\/peer an exit notification if tunnel is restarted or OpenVPN process is exited.<br \/># explicit-exit-notify 1<br \/>keepalive 10 120<br \/>persist-key<br \/>persist-tun<br \/>verb 3<br \/>log \/var\/log\/openvpn\/server.log<br \/>log-append \/var\/log\/openvpn\/server.log<br \/>status \/var\/log\/openvpn\/status.log<\/pre>\n<h2>\u914d\u7f6eldap-auth\u4fe1\u606f<\/h2>\n<p>\u8fd9\u91cc\u6709\u4e2a\u5c0f\u5751\u9700\u8981\u6ce8\u610f\u4e00\u4e0b\uff0c\u9ed8\u8ba4\u7528\u6237\u7684username\u90fd\u662f\u901a\u8fc7uid\u6765\u8fdb\u884c\u7d22\u5f15\uff0c\u4f46\u662f\u6709\u4e9b\u4f7f\u7528cn\u6765\u4f5c\u4e3ausername\u7684\u7d22\u5f15\uff0c\u4f1a\u5bfc\u81f4\u9ed8\u8ba4\u914d\u7f6e\u65e0\u6cd5\u8bfb\u53d6\u7528\u6237\uff0c\u5982\u4e0b\u6211\u4eec\u4f7f\u7528cn\u8fdb\u884c\u7d22\u5f15\uff0c\u9700\u8981\u66f4\u6539\u914d\u7f6eSearchFilter &#8220;(cn=%u)&#8221;<\/p>\n<pre class=\"\">\u7f16\u8f91\/etc\/openvpn\/auth\/ldap.conf\uff0c\u5982\u4e0b\u4fee\u6539\n&lt;LDAP&gt;<br \/>    # LDAP server URL<br \/>    URL             ldap:\/\/10.88.1.7:389<br \/><br \/>    # Bind DN (If your LDAP server doesn't support anonymous binds)<br \/>    BindDN          cn=admin,dc=aaa,dc=com<br \/><br \/>    # Bind Password<br \/>    Password        123456<br \/><br \/>    # Network timeout (in seconds)<br \/>    Timeout         15<br \/><br \/>    # Enable Start TLS<br \/>    TLSEnable       no<br \/><br \/>    # Follow LDAP Referrals (anonymously)<br \/>    FollowReferrals yes<br \/><br \/>    # TLS CA Certificate File<br \/>    TLSCACertFile   \/usr\/local\/etc\/ssl\/ca.pem<br \/><br \/>    # TLS CA Certificate Directory<br \/>    TLSCACertDir    \/etc\/ssl\/certs<br \/><br \/>    # Client Certificate and key<br \/>    # If TLS client authentication is required<br \/>    TLSCertFile     \/usr\/local\/etc\/ssl\/client-cert.pem<br \/>    TLSKeyFile      \/usr\/local\/etc\/ssl\/client-key.pem<br \/><br \/>    # Cipher Suite<br \/>    # The defaults are usually fine here<br \/>    # TLSCipherSuite        ALL:!ADH:@STRENGTH<br \/>&lt;\/LDAP&gt;<br \/><br \/>&lt;Authorization&gt;<br \/>    # Base DN<br \/>    BaseDN          \"ou=users,dc=aaa,dc=com\"<br \/><br \/>    # User Search Filter<br \/>    SearchFilter    \"(cn=%u)\"<br \/><br \/>    # Require Group Membership<br \/>    RequireGroup    false<br \/><br \/>    # Add non-group members to a PF table (disabled)<br \/>    #PFTable        ips_vpn_users<br \/><br \/>    &lt;Group&gt;<br \/>            BaseDN          \"dc=example,dc=com\"<br \/>            SearchFilter    \"()\"<br \/>            MemberAttribute uniqueMember<br \/>            # Add group members to a PF table (disabled)<br \/>            #PFTable        ips_vpn_eng<br \/>    &lt;\/Group&gt;<br \/>&lt;\/Authorization&gt;<\/pre>\n<h2>\u7f16\u8f91systemd\u914d\u7f6e<\/h2>\n<pre class=\"\">\u7f16\u8f91\/usr\/lib\/systemd\/system\/openvpn@service\uff0c\u5199\u5165\u4ee5\u4e0b\u914d\u7f6e<br \/><br \/>[Unit]<br \/>Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I<br \/>After=network.target<br \/><br \/>[Service]<br \/>Type=notify<br \/>PrivateTmp=true<br \/>#ExecStart=\/usr\/sbin\/openvpn --cd \/etc\/openvpn\/ --config %i.conf<br \/>ExecStart=\/usr\/sbin\/openvpn --config \/etc\/openvpn\/%i.conf<br \/><br \/>[Install]<br \/>WantedBy=multi-user.target<\/pre>\n<h2>\u542f\u52a8\u670d\u52a1<\/h2>\n<p>systemctl start openvpn@service<\/p>\n<h1>\u5ba2\u6237\u7aef\u914d\u7f6e<\/h1>\n<pre class=\"\">client<br \/>dev-type tun<br \/>dev tunx<br \/>proto tcp<br \/>tun-mtu 1400<br \/>comp-lzo<br \/>remote 1.1.1.1 1194<br \/>resolv-retry infinite<br \/>nobind<br \/>persist-key<br \/>persist-tun<br \/>verb 3<br \/>auth-user-pass<br \/>script-security 2<br \/><br \/>&lt;ca&gt;<br \/>-----BEGIN CERTIFICATE-----<br \/>xxxxxxxxxxxxxxxxxxxxxxxxxxx<br \/>-----END CERTIFICATE-----<br \/>&lt;\/ca&gt;<br \/><br \/># redirect-gateway def1 bypass-dns # uncomment to set as default gateway<br \/># route-nopull # uncomment to disable server route push<br \/>#<\/pre>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8f6f\u4ef6\u7248\u672c Centos &#8211; 7.x easy-rsa-3.0.3-1 &hellip; <a href=\"https:\/\/blog.espnlol.com\/?p=432\">\u7ee7\u7eed\u9605\u8bfb <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"class_list":["post-432","post","type-post","status-publish","format-standard","hentry","category-openldap"],"_links":{"self":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts\/432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=432"}],"version-history":[{"count":3,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts\/432\/revisions"}],"predecessor-version":[{"id":446,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=\/wp\/v2\/posts\/432\/revisions\/446"}],"wp:attachment":[{"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.espnlol.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}