openvpn部署之部署基於AD域認證

Thu, 17 Sep 2020 13:15:33 +0800
# 安裝openvpn
yum install openvpn -y
yum -y install openssl openssl-devel -y
yum -y install lzo lzo-devel -y
yum install -y libgcrypt libgpg-error libgcrypt-devel

# 安裝openvpn認證插件
yum install openvpn-auth-ldap -y

# 安裝easy-rsa
# 由於openvpn2.3之後，在openvpn裏面剔除了easy-rsa文件，所以需要單獨安裝
yum install easy-rsa
cp -rf /usr/share/easy-rsa/2.0 /etc/opevpn/

# 生成openvpn的key及證書
# 修改 `/opt/openvpn/etc/easy-rsa/2.0/vars` 參數
export KEY_COUNTRY="CN" # 國家
export KEY_PROVINCE="ZJ" # 省份
export KEY_CITY="NingBo" # 城市
export KEY_ORG="TEST-VPN" # 組織
exportKEY_EMAIL="81367070@qq.com" # 郵件
export KEY_OU="baidu" # 單位

source vars
./clean-all
./build-ca
./build-dh
./build-key-server server
./build-key client1


# 編輯openvpn服務端配置文件：`/etc/openvpn/server.conf`
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0 //客戶端分配的ip地址
push "route 192.168.1.0 255.255.255.0" //推送客戶端的路由
push "redirect-gateway" //修改客戶端的網關，使其直接走vpn流量
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
username-as-common-name
log /var/log/openvpn.log


# 修改openvpn-ldap-auth的配置文件 `/etc/openvpn/auth/ldap.conf`
# /etc/openvpn/auth/ldap.conf

<LDAP>
 # LDAP server URL
 # 更改爲 AD 服務器的 IP
 URL ldap://172.16.76.238:389

 # Bind DN (If your LDAP server doesn't support anonymous binds)
 # BindDN uid=Manager,ou=People,dc=example,dc=com
 # 更改爲域管理的 DN, 可以通過 ldapsearch 進行查詢
 # -h 的 ip 替換爲服務器 ip，-D 換爲管理員的 dn，-b 爲基礎的查詢 dn，* 爲所有
 # ldapsearch -LLL -x -h 172.16.76.238 -D "administrator@xx.com" -W -b "dc=xx,dc=com" "*"
 BindDN "cn=administrator,cn=Users,dc=xx,dc=com"

 # Bind Password
 # Password SecretPassword
 # 域管理員的密碼
 Password passwd

 # Network timeout (in seconds)
 Timeout 15

 # Enable Start TLS
 TLSEnable no

 # Follow LDAP Referrals (anonymously)
 FollowReferrals no

 # TLS CA Certificate File
 # TLSCACertFile /usr/local/etc/ssl/ca.pem

 # TLS CA Certificate Directory
 # TLSCACertDir /etc/ssl/certs

 # Client Certificate and key
 # If TLS client authentication is required
 # TLSCertFile /usr/local/etc/ssl/client-cert.pem
 # TLSKeyFile /usr/local/etc/ssl/client-key.pem

 # Cipher Suite
 # The defaults are usually fine here
 # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
 # Base DN
 # 查詢認證的基礎 dn
 BaseDN "dc=boqii-inc,dc=com"

 # User Search Filter
 # SearchFilter "(&(uid=%u)(accountStatus=active))"
 # 其中 sAMAccountName=%u 的意思是把 sAMAccountName 的字段取值爲用戶名，
 # 後面 "memberof=CN=myvpn,DC=xx,DC=com" 指向要認證的 vpn 用戶組，
 # 這樣任何用戶使用 vpn，只要加入這個組就好了
 SearchFilter "(&(sAMAccountName=%u)(memberof=CN=myvpn,DC=boqii-inc,DC=com))"

 # Require Group Membership
 RequireGroup false

 # Add non-group members to a PF table (disabled)
 # PFTable ips_vpn_users

 <Group>
 # BaseDN "ou=Groups,dc=example,dc=com"
 # SearchFilter "(|(cn=developers)(cn=artists))"
 # MemberAttribute uniqueMember
 # Add group members to a PF table (disabled)
 # PFTable ips_vpn_eng

 BaseDN "ou=vpn,dc=boqii-inc,dc=com"
 SearchFilter "(cn=openvpn)"
 MemberAttribute "member"
 </Group>
</Authorization>
拷貝/etc/openvpn/key目錄下的ca.crt證書，以備客戶端使用。
LDAP on Ricky

openvpn部署之部署基於AD域認證
