OpenVPN with ldap认证实践

个人VPN青睐排行:
OpenConnect VPN Server(OCServ)
WireGuard
OpenVPN

OpenVPN社区版实践笔记https://openvpn.net/community/
高可用的思考:
保证多个实例证书相同(easy-rsa工具生成证书拷贝到多个实例)
1、在客户端配置多个remote,且随机选择remote-random
2、HAProxy负载均衡代理

安装

1
2
3
4
5
### 版本
# easy-rsa 3.0.8
# openvpn-auth-ldap 2.0.3
# openvpn 2.4.11
yum install openvpn easy-rsa iptables-services

证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
mkdir /etc/openvpn/server/easy-rsa
cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/server/easy-rsa/
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/server/easy-rsa/vars
###
# vim /etc/openvpn/server/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Chongqing"
set_var EASYRSA_REQ_CITY "Chongqing"
set_var EASYRSA_REQ_ORG "Boer Inc."
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "boer"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 36500
set_var EASYRSA_CERT_EXPIRE 36500

source ./vars
###
./easyrsa init-pki

./easyrsa build-ca nopass # boer

./easyrsa gen-dh

./easyrsa build-server-full server nopass
./easyrsa build-client-full client nopass # client/用户

mkdir /etc/openvpn/server/certs/
cp -r ca.crt dh.pem issued/*.crt private/*.key /etc/openvpn/server/certs/
cd /etc/openvpn/server
openvpn --genkey --secret ta.key
cp ta.key /etc/openvpn/server/certs/

服务端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
### /etc/openvpn/server
### touch server.conf
local 10.10.253.16
port 1194

; proto udp
proto tcp

; 使用三层路由IP隧道(tun)还是二层以太网隧道(tap)。一般都使用tun
dev tun

persist-key
persist-tun

ca certs/ca.crt
cert certs/server.crt
key certs/server.key
dh certs/dh.pem
tls-auth certs/ta.key 0

duplicate-cn

cipher AES-256-CBC

; comp-lzo
compress lz4-v2
push "compress lz4-v2"

ifconfig-pool-persist ipp.txt
server 172.30.1.0 255.255.255.0
; push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
; vpn服务端向客户端推送vpn服务端内网网段的路由配置,以便让客户端能够找到服务端内网。多条路由就写多个Push指令
client-config-dir ccd
push "route 10.0.0.0 255.255.0.0"
push "route 10.96.0.0 255.240.0.0"
max-clients 100
; 让vpn客户端之间可以互相看见对方,即能互相通信。默认情况客户端只能看到服务端一个人,默认是注释的,不能客户端之间相互看见
client-to-client

; user openvpn
; group openvpn
keepalive 10 120
status openvpn-status.log
log openvpn.log
verb 3
; explicit-exit-notify 1
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf # openvpn-auth-ldap
client-cert-not-required # ldap auth

LDAP配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<LDAP>
URL ldap://10.10.253.16:10389
BindDN cn=admin,dc=boer,dc=xyz
Password <your_password>
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>

<Authorization>
BaseDN "ou=users,dc=boer,dc=xyz"
SearchFilter "uid=%u"
RequireGroup false # 2.0.3bug
<Group>
BaseDN "ou=groups,dc=boer,dc=xyz"
SearchFilter "(|(cn=developers)(cn=devops))"
MemberAttribute memberUid
</Group>
</Authorization>

启动服务systemctl start [email protected]

客户端

1、下载服务端证书到本地

  • ca.crt
  • ta.key
  • client.crt [可选]
  • client.key [可选]

2、配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
### Windows client.ovpn
client
;dev tap
dev tun
proto tcp
;proto udp
remote 10.10.253.16 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
; cert client.crt
; key client.key
auth-user-pass # ldap auth
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

他山之石


OpenVPN with ldap认证实践
https://www.boer.xyz/2021/07/28/openvpn-ha-with-ldap/
作者
boer
发布于
2021年7月28日
许可协议