OpenVPN搭建并集成LDAP

名称 版本
Centos 7.9
openvpn 2.4.8
openvpn-auth-ldap 2.0.3

安装

yum install -y easy-rsa openvpn openvpn-auth-ldap

其中easy-rsa主要用来给OpenVPN Server启动要用到的相关证书的生成。

准备证书

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/

创建CSR相关信息

[root@openvpn ~]# cat /etc/openvpn/easy-rsa/vars 
#公司信息,根据情况自定义
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Shanghai"
set_var EASYRSA_REQ_CITY "Shanghai"
set_var EASYRSA_REQ_ORG "xxkj"
set_var EASYRSA_REQ_EMAIL "caizhe@innovsharing.com"
set_var EASYRSA_REQ_OU "xxkj"
#证书有效期
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

生成CA证书

[root@openvpn easy-rsa]# cd /etc/openvpn/easy-rsa/
[root@openvpn easy-rsa]# ./easyrsa init-pki
   
Note: using Easy-RSA configuration from: ./vars
   
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
./easyrsa build-ca 
[root@openvpn easy-rsa]# ./easyrsa build-ca
   
Note: using Easy-RSA configuration from: ./vars
   
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
   
Enter New CA Key Passphrase:#设置一个密码,下面给证书签名时会用到,这里我设置为:888888
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................................................................................................................................+++
.................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:设置CN,直接回车使用默认:Easy-RSA CA
   
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

生成服务端证书

[root@openvpn easy-rsa]# ./easyrsa gen-req server nopass
   
Note: using Easy-RSA configuration from: ./vars
   
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.......................+++
........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.VWbGpsGSpM'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:设置CN,直接回车使用默认:server
   
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

使用CA给服务端证书签名

[root@openvpn easy-rsa]# ./easyrsa sign server server
   
Note: using Easy-RSA configuration from: ./vars
   
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
   
   
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
   
Request subject, to be signed as a server certificate for 3650 days:
   
subject=
   commonName                = server
   
   
Type the word 'yes' to continue, or any other input to abort.
 Confirm request details: yes #输入yes确认
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:#输入上边步骤4中生成CA时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Apr  2 04:27:27 2030 GMT (3650 days)
   
Write out database with 1 new entries
Data Base Updated
   
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

生成DH证书

[root@openvpn easy-rsa]# ./easyrsa gen-dh
   
Note: using Easy-RSA configuration from: ./vars
   
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................................
   
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

生成客户端公钥

openvpn --genkey --secret /etc/openvpn/client.key

将server端证书和密钥都统一放到/etc/openvpn/目录下,方便管理和配置。

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
ll /etc/openvpn/
total 48
drwxr-xr-x 2 root root    4096 Dec  1 17:57 auth
-rw------- 1 root root    1172 Dec  1 17:00 ca.crt
drwxr-x--- 2 root openvpn 4096 Apr 21  2021 client
-rw------- 1 root root     424 Dec  1 17:00 dh.pem
drwxr-xr-x 4 root root    4096 Dec  1 16:42 easy-rsa
-rw------- 1 root root       0 Dec  1 18:17 ipp.txt
-rw------- 1 root root     232 Dec  1 18:24 openvpn-status.log
drwxr-x--- 2 root openvpn 4096 Apr 21  2021 server
-rw-r--r-- 1 root root     616 Dec  1 17:03 server.conf
-rw------- 1 root root    4547 Dec  1 17:00 server.crt
-rw------- 1 root root    1704 Dec  1 17:00 server.key
-rw------- 1 root root     636 Dec  1 17:00 client.key

修改OpenVPN主配置文件 /etc/openvpn/server.conf

local 0.0.0.0
port 1194
proto udp
dev tun
user openvpn
group openvpn
ca ca.crt
cert server.crt
key server.key
dh dh.pem
#客户端地址池
server 10.8.0.0 255.255.255.0
#内网网段
# push "route 172.20.55.0  255.255.255.0"
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
#心跳检测,10秒检测一次,2分钟内没有回应则视为断线
keepalive 10 120
#服务端值为0,客户端为1
tls-auth ta.key 0
cipher AES-256-CBC
#传输数据压缩
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
verify-client-cert none

配置LDAP认证:/etc/openvpn/auth/ldap.conf

cat > /etc/openvpn/auth/ldap.conf <<EOF
<LDAP>
	URL		ldap://ldap.xxxx.com:389
	BindDN		cn=admin,dc=xxxx,dc=com
	Password	xxxx@xxxxxxxxxxx
	Timeout		15
	TLSEnable	no
	FollowReferrals no
</LDAP>
<Authorization>
	BaseDN		"dc=xxx,dc=com"
	SearchFilter	"cn=%u"
	RequireGroup	false
</Authorization>
EOF

启动

systemctl start openvpn@server
systemctl enable openvpn@server

开启内核转发

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

iptables 转发

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

10.8.0.0/24 为openvpn分给客户端的地址

客户端配置

client
dev tun
#协议与sever保持一致  
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
#server保持一致
comp-lzo
explicit-exit-notify 1
verb 3
#开启密码认证
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
#serverca.crt文件内容拷贝过来
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#serverta.key文件内容拷贝到这里
-----END OpenVPN Static key V1-----
</tls-auth>

发表评论