OpenVPN Server搭建及使用LDAP做登录认证(EL8)
文章目录
环境准备
CentOS8
|
|
安装软件
|
|
|
|
其中easy-rsa
主要用来给OpenVPN Server启动要用到的相关证书的生成。
证书准备
为了简化证书生成流程这里使用easy-rsa
工具包。
-
先创建一个工作目录用来存放生成证书中要用到的各种文件
1
mkdir /etc/openvpn/easy-rsa
-
准备证书生成相关文件
1
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
-
准备生成证书用的
CSR
相关配置1 2 3 4 5 6 7 8 9 10 11 12
cat <<EOF > /etc/openvpn/easy-rsa/vars #公司信息,根据情况自定义 set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit" #证书有效期 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650 EOF
-
生成
CA
证书1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
[root@openvpn easy-rsa]# cd /etc/openvpn/easy-rsa/ [root@openvpn easy-rsa]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki ./easyrsa build-ca [root@openvpn easy-rsa]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase:#设置一个密码,下面给证书签名时会用到,这里我设置为:888888 Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................................................................................................................................+++ .................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:设置CN,直接回车使用默认:Easy-RSA CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
-
生成服务端证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
[root@openvpn easy-rsa]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .......................+++ ........+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.VWbGpsGSpM' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:设置CN,直接回车使用默认:server Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key
-
使用
CA
给服务端证书签名1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
[root@openvpn easy-rsa]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入yes确认 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:#输入上边步骤4中生成CA时设置的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Apr 2 04:27:27 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
-
生成
DH
证书1 2 3 4 5 6 7 8 9 10
[root@openvpn easy-rsa]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................... DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
-
生成ta密钥
1
openvpn --genkey --secret /etc/openvpn/server/ta.key
-
*因为我准备使用
LDAP
来做authentication,不准备使用客户端证书authentication,所以这里就不生成客户端证书了。如果你打算使用证书认证,可以参考OpenVPN Server搭建及使用客户端证书认证 -
将server端证书和密钥都统一放到
/etc/openvpn/
目录下,方便管理和配置。
|
|
配置
-
主配置文件:
/etc/openvpn/server.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
[root@openvpn ~]# cat > /etc/openvpn/server.conf <<EOF local 0.0.0.0 port 1194 proto udp dev tun user openvpn group openvpn ca ca.crt cert server.crt key server.key dh dh.pem #客户端地址池 server 192.168.255.0 255.255.255.0 #内网网段 push "route 172.16.0.0 255.240.0.0" ifconfig-pool-persist ipp.txt 2 #心跳检测,10秒检测一次,2分钟内没有回应则视为断线 keepalive 10 120 #服务端值为0,客户端为1 tls-auth ta.key 0 cipher AES-256-GCM persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" verify-client-cert none persist-key persist-tun explicit-exit-notify 1 username-as-common-name EOF
-
配置
LDAP
认证:/etc/openvpn/auth/ldap.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
[root@openvpn ~]# cat > /etc/openvpn/auth/ldap.conf <<EOF <LDAP> URL ldap://127.0.0.1 BindDN cn=root,dc=dianduidian,dc=com Password root@pw Timeout 15 TLSEnable no FollowReferrals no </LDAP> <Authorization> BaseDN "ou=people,dc=dianduidian,dc=com" SearchFilter "(&(cn=%u)(objectClass=person)(memberof=cn=devops,ou=group,dc=dianduidian,dc=com))" RequireGroup false <Group> BaseDN "ou=groups,dc=dianduidian,dc=com" SearchFilter "(cn=devops)" MemberAttribute member </Group> </Authorization> EOF
需要注意一下,
openvpn-auth-ldap-2.0.3
插件目前不支持SearchFilter功能,这个issue有提到,只能在SearchFilter
做文章变通实现这个功能。(&(cn=%u)(objectClass=person)(memberof=cn=devops,ou=group,dc=dianduidian,dc=com))
就可能达到SearchFilter
的效果。
启动服务
|
|
开启内核转发和SNAT
开启内核转发
|
|
Iptables开启SNAT
|
|
192.168.255.0/24 为openvpn
分给客户端的地址,即openvpn
配置文件中server 192.168.255.0 255.255.255.0
指定的。
客户端配置
将证书文件整合到一个配置文件方便发给同事。
|
|
参考
文章作者 XniLe
上次更新 2024-11-25