III(二十一)OpenVPN(2)

  1. 云栖社区>
  2. 博客>
  3. 正文

III(二十一)OpenVPN(2)

技术小阿哥 2017-11-27 14:50:00 浏览913 评论0

摘要: 案例1: 多个机房利用OpenVPN互联架构方案: 注: vpn client角色相当于宿主机win的拨号端; vpn server和vpn client均执行(1、firewall(避免影响port服务和转发);2、关闭selinux;3、开启转发(#echo 1> /proc/sys/net/ipv4/ip_forward或更改/etc/sysctl.

案例1

多个机房利用OpenVPN互联架构方案:

wKiom1ealf7grsaNAAA9lwaEGDI341.jpg

注:

vpn client角色相当于宿主机win的拨号端;

vpn servervpn client均执行(1firewall(避免影响port服务和转发);2、关闭selinux3、开启转发(#echo 1> /proc/sys/net/ipv4/ip_forward或更改/etc/sysctl.conf文件));

 

vpn server-side

[root@etiantian ~]# vim /etc/openvpn/server.conf   #(配置如下:1、注释掉duplicate-cn2、开启client-config-dir /etc/openvpn/ccd3、开启route 192.168.1.0 255.255.255.0push是将路由推到clientroute是在本地配置路由;4、开启client-to-client

;duplicate-cn

client-config-dir ccd

route 192.168.1.0 255.255.255.0

client-to-client

[root@etiantian ~]# egrep -v "#|;|^$" /etc/openvpn/server.conf   #(完整配置如下)

local 10.96.20.113

port 52115

proto tcp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

dh /etc/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 172.16.1.0255.255.255.0"

client-config-dir /etc/openvpn/ccd

route 192.168.1.0 255.255.255.0

client-to-client

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

log /var/log/openvpn.log

verb 3

crl-verify  /etc/openvpn/keys/crl.pem

[root@etiantian ~]#vim /etc/openvpn/ccd/jowin   #(创建并配置此文件,此处jowin为是签署的client证书的名字,iroute192.168.1.0 255.255.255.0必须配置;ifconfig-push此行可选,可让LAN内的主机获取到指定的虚拟地址)

iroute 192.168.1.0 255.255.255.0

#ifconfig-push 10.8.0.18 10.8.0.19

[root@etiantian ~]# service openvpn start

Starting openvpn:                                         [  OK  ]

[root@etiantian ~]# lsof -i :52115

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

openvpn 39657 root    5u IPv4 818132      0t0  TCP etiantian.org:52115 (LISTEN)

[root@etiantian ~]# ifconfig tun0

tun0     Link encap:UNSPEC  HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 

         inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255

         UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500  Metric:1

         RX packets:2 errors:0 dropped:0 overruns:0 frame:0

         TX packets:2 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:100

         RX bytes:168 (168.0 b)  TXbytes:168 (168.0 b)

#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.11

wKiom1eallSDDwWmAAA_yh-x4hw266.jpg

 

vpn client-side

[root@localhost ~]# egrep -v "#|;|^$" /etc/openvpn/client.conf

client

dev tun

proto tcp

remote 10.96.20.113 52115

resolv-retry infinite

nobind

persist-key

persist-tun

ca /etc/openvpn/ca.crt

cert /etc/openvpn/jowin.crt

key /etc/openvpn/jowin.key

ns-cert-type server

comp-lzo

verb 3

[root@localhost ~]# service openvpn start

Starting openvpn: Enter Private KeyPassword:

                                                          [  OK  ]

[root@localhost ~]# ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1) 56(84) bytes ofdata.

64 bytes from 10.8.0.1: icmp_seq=1 ttl=64time=0.426 ms

64 bytes from 10.8.0.1: icmp_seq=2 ttl=64time=0.327 ms

64 bytes from 10.8.0.1: icmp_seq=3 ttl=64time=0.281 ms

#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -s SNAT --to-source 192.168.1.11

wKioL1ealn3Rmn1WAABCUaUsGxs943.jpg

 

LAN(A) server1-side

#route add -net 192.168.1.0/24 gw 172.16.1.11

wKiom1ealpfzXHZTAABnZQpotw8368.jpg

 

LAN(B) server1-side

#route add -net 172.16.1.0/24 gw 192.168.1.11

wKiom1ealrbi3Cy-AABjqT_ld6A057.jpg

 

测试LAN(B)-server1是否能与LAN(A)-server1通信:

LAN(B) server1ping LAN(A) server1,可以ping通,正常

wKioL1ealtGQafXxAACn0DJ3pKg554.jpg

vpn server上抓包#tcpdump -n icmp,有ICMP echo requestICMP echo reply,正常

wKiom1ealuHAsfoQAACWHX8RLec067.jpg

LAN(A) server1上抓包,有ICMP echo requestICMP echo reply,正常

wKioL1ealvmC3KJkAADUUyRUdCo306.jpg

 

 

 

 

案例2

办公电脑通过IDC机房的OpenVPN server实现代理上网

wKiom1ealwqA9nYpAABNqe1IlXw250.jpg

注:上图即是用户远程拨号到vpn server管理IDC机房的主机;生产中vpn servereth0和用户的源IP均是公网地址;在访问其它网站时经用户自己本地路由出去并不走vpn线路

wKioL1ealxyxfE_oAABKe66hei0409.jpg

注:上图即是此案例要交待的通过代理上网

 

[root@etiantian ~]# vim /etc/openvpn/server.conf

push "redirect-gateway def1 bypass-dhcp bypass-dns"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

[root@etiantian ~]# cat /proc/sys/net/ipv4/ip_forward   #(确保网络转发是开的)

1

#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.96.20.113

#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 52115 -j ACCEPT

通过代理访问其它网站,并用www.whatismyip.com.twwww.ip138.com判断代理前后IP的变化,代理后用此网址查到的IP是代理服务器的IPopenvpn监听的地址),在wincmd上,使用>route print > test.txt比较前后变化

 

 

 

方案3

openvpnLBHA

方一:在vpn-client使用多个配置文件实现(由用户选择拨号)

wKioL1eal2KjHXnKAABBz0q-7YU242.jpg

具体步骤:

配置vpn server{1,2}环境,两个server端仅监听的IP地址不一样;

vpn server[1,2}上的caserver证书要一致(此例是将vpnserver1的证书拷贝至vpn server2上);

vpn client本地有多个不同的配置文件(此例中是两个,配置文件中仅连接的vpn serverIP不同,在安装目录下的config/jowin/下有两个不同的*.ovpn文件);

 

总结:

这种方法同样适合同一认证系统(如,本地文件、数据库、RADIUSLDAPactive directory);

该方法操作简单,适合公司内部人员,不引入多余服务,不会增加多余的单点故障,当某一vpnserver出问题,在vpnclient可手动选择另一vpnserver进行连接;

该方法是在用户端实现的LB,类似早期的华军下载站一样,由用户选择下载站点,而不是用智能DNS复杂的业务模式;

 

vpn server1

[root@etiantian ~]# grep local /etc/openvpn/server.conf

# Which local IP address should OpenVPN

;local a.b.c.d

local 10.96.20.113

[root@etiantian ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.113

[root@etiantian ~]# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)

target    prot opt source              destination        

 

Chain POSTROUTING (policy ACCEPT)

target    prot opt source              destination        

SNAT      all  --  10.8.0.0/24          0.0.0.0/0           to:172.16.1.113

 

Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination        

[root@etiantian ~]# service openvpn start

Starting openvpn:                                         [  OK  ]

[root@etiantian ~]# ifconfig tun0

tun0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 

         inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

         UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500  Metric:1

         RX packets:0 errors:0 dropped:0 overruns:0 frame:0

         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:100

         RX bytes:0 (0.0 b)  TX bytes:0(0.0 b)

[root@etiantian ~]# tail /var/log/openvpn.log

Tue Jul 26 22:13:19 2016 Listening forincoming TCP connection on 10.96.20.113:52115

Tue Jul 26 22:13:19 2016 TCPv4_SERVER linklocal (bound): 10.96.20.113:52115

Tue Jul 26 22:13:19 2016 TCPv4_SERVER linkremote: [undef]

Tue Jul 26 22:13:19 2016 MULTI: multi_initcalled, r=256 v=256

Tue Jul 26 22:13:19 2016 IFCONFIG POOL: base=10.8.0.4size=62

Tue Jul 26 22:13:19 2016 IFCONFIG POOL LIST

Tue Jul 26 22:13:19 2016 test,10.8.0.4

Tue Jul 26 22:13:19 2016 jowin,10.8.0.8

Tue Jul 26 22:13:19 2016 MULTI: TCP INITmaxclients=1024 maxevents=1028

Tue Jul 26 22:13:19 2016 InitializationSequence Completed

 

vpn server2

[root@localhost ~]# grep local /etc/openvpn/server.conf

# Which local IP address should OpenVPN

;local a.b.c.d

local 10.96.20.114

[root@localhost ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.114

[root@localhost ~]# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)

target    prot opt source              destination        

 

Chain POSTROUTING (policy ACCEPT)

target    prot opt source              destination        

SNAT      all  -- 10.8.0.0/24         0.0.0.0/0           to:172.16.1.114

 

Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination        

[root@localhost ~]# service openvpn start

Starting openvpn:                                          [ OK  ]

[root@localhost ~]# ifconfig tun0

tun0     Link encap:UNSPEC  HWaddr00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 

         inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

         UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500  Metric:1

         RX packets:0 errors:0 dropped:0 overruns:0 frame:0

         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:100

         RX bytes:0 (0.0 b)  TX bytes:0(0.0 b)

[root@localhost ~]# tail /var/log/openvpn.log

Wed Jul 27 13:14:05 2016 /sbin/route add-net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2

Wed Jul 27 13:14:05 2016 Data Channel MTUparms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]

Wed Jul 27 13:14:05 2016 Listening forincoming TCP connection on 10.96.20.114:52115

Wed Jul 27 13:14:05 2016 TCPv4_SERVER linklocal (bound): 10.96.20.114:52115

Wed Jul 27 13:14:05 2016 TCPv4_SERVER linkremote: [undef]

Wed Jul 27 13:14:05 2016 MULTI: multi_initcalled, r=256 v=256

Wed Jul 27 13:14:05 2016 IFCONFIG POOL:base=10.8.0.4 size=62

Wed Jul 27 13:14:05 2016 IFCONFIG POOL LIST

Wed Jul 27 13:14:05 2016 MULTI: TCP INITmaxclients=1024 maxevents=1028

Wed Jul 27 13:14:05 2016 InitializationSequence Completed

 

vpn client

winOpenVPN的安装目录的config/用户jowin目录/下,复制两个*.ovpn文件,此文件是在vpnserver-side中编辑好client.conf再拷贝至win上并改名,这两个文件内容里仅监听的地址不一样,分别是remote 10.96.20.113 52115remote 10.96.20.1145215

wKiom1eal6-Qq9SPAABX7hwgJZE207.jpg

wKioL1eal82DlbgbAABEVD6T_1E344.jpg

wKioL1eamFfRfHGCAABAYc8Ci0o096.jpg

连接成功后,在win上ping 172.16.1.12,并在172.16.1.12上监听,有request也有reply,成功

wKiom1eamG-z2P6kAACLu0sC_l0753.jpg



openvpn的LB和HA:

方二(推荐使用):通过在vpn client的配置文件中实现,此方法的client不仅适合win32平台的用户拨号,同样也适合企业跨机房互联;在*.ovpn文件中配置多个vpnserver,利用client的参数功能remote-random,在拨号时随机自动选择vpnserver,当某个vpnserver故障,此时不需人工干预,client的OpenVPN GUI会自动判断且自动重连其它可用的vpnserver

wKiom1eamQjjZCEwAABBz0q-7YU679.jpg

[root@etiantian openvpn]# vim client.conf   #(在vpnserver-side编辑好拷贝至win上改名为jowin_LB.ovpn)

remote 10.96.20.113 52115

remote 10.96.20.114 52115

remote-random

resolv-retry 20


vpn server1

[root@etiantian ~]# > /etc/openvpn/openvpn-status.log   #(清空状态,并重启openvpn服务)

[root@etiantian ~]# service openvpn restart

Shutting down openvpn:                                     [  OK  ]

Starting openvpn:                                         [  OK  ]

 

vpn server2

[root@localhost ~]# >/etc/openvpn/openvpn-status.log

[root@localhost ~]# service openvpn restart

Shutting down openvpn:                                     [  OK  ]

Starting openvpn:                                         [  OK  ]


wKiom1eamSrz0Dj3AABZ3tm7BnM839.jpg

连接成功后,查看日志,发现当前连接到了10.96.20.113上了

wKioL1eamT6QLjGBAADDWK1XGdM669.jpg

将此113上的openvpn服务关闭,经查看20S后自动切至10.96.20.114,成功

[root@etiantian ~]# service openvpn stop

Shutting down openvpn:                                     [  OK  ]

wKioL1eamU-D8FHIAADWinVLfOA216.jpg

 

 

openvpnLBHA

方三:通过域名+DNS轮询A记录实现,在vpn client的配置文件中remote vpn.etiantian.org 52115DNS会将域名解析成两个A记录轮询两条A记录

 

注:此方案复杂,引入DNS服务,增加了单点故障和维护成本;若仅公司内部人员使用不推荐此方法,外部人员使用勉强可考虑;若多机房,多个vpnserver不在一个机房,还需要通过IPSec进行连接;DNS轮询会有clientDNS缓存问题导致切换失效;DNS集群HA方案(LAN DNSMySQL集群、存储等),缺点对长连接支持不好

 

[root@etiantian ~]# yum -y install bind bind-chroot bind-libs caching-nameserver ypbind   #DNS可安装在IDC机房中LAN内的任意一台主机,此例是安装在vpnserver1上)

[root@etiantian ~]# vim /etc/named.conf   #(更改并添加如下信息)

options {

       listen-on port 53 { any; };

                   ……

       allow-query     { any; };

                   ……

};

……

zone "etiantian.org" {

       type master;

       file "etiantian.org.db";

};

[root@etiantian~]# cp -p /var/named/named.localhost /var/named/etiantian.org.db   #(注意

此文件的所属主为root,所属组为named,若不加-p最后会查不到记录)

[root@etiantian ~]# vim /var/named/etiantian.org.db

$TTL 1D

@      IN SOA  etiantian.org root (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H)    ; minimum

       IN      NS      @

       IN      A       127.0.0.1

vpn    IN      A       10.96.20.113

vpn    IN      A       10.96.20.114

[root@etiantian ~]# service named start

Starting named:                                           [  OK  ]

[root@etiantian ~]# host vpn.etiantian.org

vpn.etiantian.org has address 10.96.20.114

vpn.etiantian.org has address 10.96.20.113

[root@etiantian ~]# nslookup vpn.etiantian.org

Server:               10.96.20.113

Address:  10.96.20.113#53

 

Name:      vpn.etiantian.org

Address: 10.96.20.113

Name:      vpn.etiantian.org

Address: 10.96.20.114

[root@etiantian ~]# tail -2 /etc/hosts   #vpnserver1vpnserver2都要有相同的文件)

10.96.20.113    etiantian.org

10.96.20.114   etiantian.org

[root@etiantian ~]# vim /etc/openvpn/client.conf   #(在服务端把此文件编辑好拷贝至win上改名为jowin_LB3.ovpn

remote vpn.etiantian.org52115

remote-random

resolv-retry 20

[root@etiantian ~]# sz !$

sz /etc/openvpn/client.conf

 

注:此方法问题,vpn clientwin平台有本地缓存导致切换不成功,可用>ipconfig \displaydns more先查看,再用>ipconfig\flushdns清空;也可禁用winDNS缓存,通过改注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters,或将系统服务dns关掉

 

vpn client

wKioL1eamZjRCyEaAABSGHjhypo750.jpg

wKiom1eambDyZOnoAAByHw4Fpj4363.jpg


此时连接到了113上,将113openvpn服务停了,将dns缓存刷新,再次查看发现已切至114上了,成功

[root@etiantian ~]# service openvpn stop

Shutting down openvpn:                                     [ OK  ]

wKioL1eamcmyypc0AACwu7aewhI077.jpg

wKiom1eameGRtqvCAACj3BbmOvs246.jpg

 

 

方四:使用LVSkeepalivedhaproxy

 

 

 

方案:

openvpn统一认证:

1、本地证书密钥认证;

2、本地文件认证;

3、数据库认证(方一,利用2的处理方式,用脚本(shellphppyhon)去读DB再通过比对,另DB中的密码可用MD5加密;方二,pam_mysql);

4ldap统一认证(方一,openvpn-auth-ldap;方二,利用本地文件认证思路,去ldap查询,或与本地文件比较);

5Radius认证(remoteauthentication dial in user service,远程用户拨号认证系统,RFC2865RFC2866定义,是目前应用最广泛的AAA协议,可实现验证、授权、记账等服务的协议);

6、利用active directory(可与ldap打通);

7、结合U盾等认证设备

 

 

举例(openvpn通过本地文件认证):

vpn server-side

[root@etiantian ~]# cd /etc/openvpn

[root@etiantian openvpn]# vim server.conf

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

client-cert-not-required

username-as-common-name

script-security 3

注:

auth-user-pass-verify语法:auth-user-pass-verifyscript method(此处脚本checkpsw.shshell脚本可下载获得(也可是php脚本),用来接收client的用户名和密码并和本地文件psw-file进行比对,通过返回值(return 0表示成功,return 1表示失败)确认是否可连接vpnservermethodvia-envpass user/pass via environment)和via-filepassuser/pass via temporary file));

psw-file文件(用户名和密码在一行,用单个或多个空格分隔);

client-cert-not-required(不使用证书,使用user/pass认证);

--script-security=0|1|2|30strictly nocalling of external programs1defaultonly call built-in excutables such as ifconfigiprouteor netsh2allowcalling of built-in executables and user-defined scripts3allowpasswords to be passed to scripts via environment variables(protentiallyunsafe);若无此参数client是不能成功连接server-side,报错Failed running command(--auth-user-pass-verify):external program forfailed);

 

[root@etiantian openvpn]# vim checkpsw.sh

-------------------script start----------------------

#!/bin/sh

###########################################################

# checkpsw.sh (C) 2004 Mathias Sundman<mathias@openvpn.se>

#

# This script will authenticate OpenVPNusers against

# a plain text file. The passfile shouldsimply contain

# one row per user with the username firstfollowed by

# one or more space(s) or tab(s) and thenthe password.

 

PASSFILE="/etc/openvpn/psw-file"

LOG_FILE="/var/log/openvpn/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

 

###########################################################

 

if [ ! -r "${PASSFILE}" ]; then

 echo "${TIME_STAMP}: Could not open password file\"${PASSFILE}\" for reading." >> ${LOG_FILE}

 exit 1

fi

 

CORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}'${PASSFILE}`

 

if [ "${CORRECT_PASSWORD}" ="" ]; then

 echo "${TIME_STAMP}: User does not exist:username=\"${username}\", password=\"${password}\".">> ${LOG_FILE}

 exit 1

fi

 

if [ "${password}" ="${CORRECT_PASSWORD}" ]; then

  echo "${TIME_STAMP}: Successful authentication:username=\"${username}\"." >> ${LOG_FILE}

 exit 0

fi

 

echo "${TIME_STAMP}: Incorrectpassword: username=\"${username}\",password=\"${password}\"." >> ${LOG_FILE}

exit 1

--------------------script end------------------

[root@etiantian openvpn]# chmod 755 checkpsw.sh

[root@etiantian openvpn]# vim psw-file   #(允许连接vpn server的账号密码)

jowin  chai

[root@etiantian openvpn]# chmod 400 psw-file   #(为安全给最小权限,或使用chattr+i psw-file

[root@etiantian openvpn]# service openvpn restart

Shutting down openvpn:                                     [ OK  ]

Starting openvpn:                                         [  OK  ]

[root@etiantian openvpn]# vim client.conf   #(将此文件在服务端编辑好上传至win上改名为jowin_user_pass.ovpn

remote 10.96.20.113 52115

#remote-random

resolv-retry 20

#cert jowin.crt

#key jowin.key

auth-user-pass

[root@etiantian openvpn]# sz client.conf

 

vpn client

wKioL1eamjaC_XN0AAB-fBHcwyA226.jpg

wKiom1eamkzziYQcAAB60zSJtxs628.jpg

connect后,会有账号密码对话框弹出,正常进入,成功

wKioL1eammKx1ElPAABrUYTwxpU216.jpg 

wKiom1eamnjC1q_VAACrJ9pBQQU473.jpg

 

 

举例

openvpn通过openvpn-auth-ldap插件认证(openvpn的安装见上篇《VPN1)》和openldap的安装见下篇《LDAP》):

[root@etiantian ~]# yum -y install gcc-c++ gcc-objc

[root@etiantian ~]# rpm -qa | grep openldap   #(确保已安装openldap-*客户端)

openldap-servers-2.4.40-12.el6.x86_64

openldap-2.4.40-12.el6.x86_64

openldap-clients-2.4.40-12.el6.x86_64

compat-openldap-2.3.43-2.el6.x86_64

openldap-servers-sql-2.4.40-12.el6.x86_64

openldap-devel-2.4.40-12.el6.x86_64

 

[root@etiantian ~]# cd /home/webgame/tools/

[root@etiantian tools]# rz -E   #(上传re2c-0.13.6.tar.gzauth-ldap-2.0.3.tar.gz

rz waiting to receive.

[root@etiantian tools]# tar xf re2c-0.13.6.tar.gz

[root@etiantian tools]# cd re2c-0.13.6

[root@etiantian re2c-0.13.6]# ./configure

[root@etiantian re2c-0.13.6]# make && make install

[root@etiantian re2c-0.13.6]# cd ..

[root@etiantian tools]# tar xf auth-ldap-2.0.3.tar.gz

[root@etiantian tools]# cdauth-ldap-2.0.3

[root@etiantianauth-ldap-2.0.3]# ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/home/webgame/tools/openvpn/openvpn-2.2.2   #(此处/home/路径为openvpn源码安装时的解压路径)

[root@etiantianauth-ldap-2.0.3]# make && make install

[root@etiantianauth-ldap-2.0.3]# cp auth-ldap.conf /etc/openvpn/

[root@etiantianauth-ldap-2.0.3]# cd

 

[root@etiantian ~]# vim /etc/openvpn/server.conf

plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf

client-cert-not-required

username-as-common-name

 

[root@etiantian ~]# vim /etc/openvpn/auth-ldap.conf    #(配置更改如下信息,其中URL可以是域名也可是ldap服务器地址;BindDN处的内容要与/etc/openldap/slapd.confrootdn的内容一致,否则会认证失败;Password即是管理员admin的密码;TLSEnable改为no

-----------------file start-------------------------

<LDAP>

        # LDAP server URL

        URL             ldap://etiantian.org

 

        # Bind DN (If your LDAP server doesn'tsupport anonymous binds)

        BindDN          cn=admin,dc=etiantian,dc=org

 

        # Bind Password

        Password        oldboy

 

        # Network timeout (in seconds)

        Timeout         15

 

        # Enable Start TLS

        TLSEnable       no

 

        # Follow LDAP Referrals (anonymously)

        FollowReferrals yes

 

        # TLS CA Certificate File

        #TLSCACertFile  /usr/local/etc/ssl/ca.pem

 

        # TLS CA Certificate Directory

        #TLSCACertDir   /etc/ssl/certs

 

        # Client Certificate and key

        # If TLS client authentication isrequired

        #TLSCertFile    /usr/local/etc/ssl/client-cert.pem

        #TLSKeyFile     /usr/local/etc/ssl/client-key.pem

        # Cipher Suite

        # The defaults are usually fine here

        # TLSCipherSuite        ALL:!ADH:@STRENGTH

</LDAP>

 

<Authorization>

        # Base DN

        BaseDN         "ou=People,dc=etiantian,dc=org"

 

       # User Search Filter

        #SearchFilter  "(&(uid=%u)(accountStatus=active))"

        SearchFilter    "uid=%u"

       # Require Group Membership

       RequireGroup    false

 

       # Add non-group members to a PF table (disabled)

       #PFTable        ips_vpn_users

 

        #<Group>

                #BaseDN        "ou=Groups,dc=etiantian,dc=org"

                #SearchFilter   "(|(cn=developers)(cn=artists))"

                #MemberAttribute        uniqueMember

                # Add group members to a PFtable (disabled)

                #PFTable        ips_vpn_eng

        #</Group>

</Authorization>

---------------file end-------------

 

winvpn client

[root@etiantian ~]# vim /etc/openvpn/client.conf   #(在服务端修改好后上传到win上并改名为jowin_ldap.ovpn

remote 10.96.20.113 52115

#cert jowin.crt

#key jowin.key

auth-user-pass

wKioL1eamuqRSvq7AAByCKuFP7s336.jpg

连接,输入ldap中存在的账号,此处使用user01/user01,成功登陆

wKiom1eamvzSonSoAABr9Kg8huk207.jpg

wKiom1eamxiw9rNSAADCKF3KmKo392.jpg



本文转自 chaijowin 51CTO博客,原文链接:http://blog.51cto.com/jowin/1831509,如需转载请自行联系原作者

【云栖快讯】阿里巴巴小程序繁星计划,20亿补贴第一弹云应用免费申请,限量从速!  详情请点击

网友评论