openvpn+AD服务配置
一、环境
CentOS Linux release 7.9.2009 (Core)
二、软件安装
yum install epel-release -y
yum install -y easy-rsa openvpn openvpn-auth-ldap
easy-rsa.noarch 0:3.0.8-1.el7 openvpn.x86_64 0:2.4.11-1.el7 openvpn-auth-ldap.x86_64 0:2.0.3-17.el7
其中easy-rsa主要用来给OpenVPN Server启动要用到的相关证书的生成。
四、证书准备
为了简化证书生成流程这里使用easy-rsa工具包
1、先创建一个工作目录用来存放生成证书中要用到的各种文件
mkdir /etc/openvpn/easy-rsa
2、准备证书生成相关文件
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
3、准备生成证书用的CSR相关配置
cat <<EOF > /etc/openvpn/easy-rsa/vars
#公司信息,根据情况自定义
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "BeiJing"
set_var EASYRSA_REQ_CITY "Bei Jing"
set_var EASYRSA_REQ_ORG "TEST Co"
set_var EASYRSA_REQ_EMAIL "it@test.com"
set_var EASYRSA_REQ_OU "Test Organizational Unit"
#证书有效期
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
EOF
4、生成CA证书
#cd /etc/openvpn/easy-rsa/
#./easyrsa init-pkill
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase:需要设置一个密码,我这里设为"888888"
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
.................................+++
.....................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入"CN"后直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
5、生成服务端证书
# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.................................................................+++
.+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-982.cJcd0X
/tmp.RiZw8A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 输入"CN",直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
6、使用CA给服务端证书签名
#./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this
request
has not been cryptographically verified. Please be sure it came from a
trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = CN
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes,这里输入yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-1033.vfaQKy
/tmp.CHstGn
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: 这里输入步骤4中设置的密码"888888"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'CN'
Certificate is to be certified until Aug 17 08:36:18 2031 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
7、生成DH证书
./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................................................................................
++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
8ta
openvpn --genkey --secret /etc/openvpn/ta.key
9、*因为我准备使用AD来做authentication,不准备使用客户端证书authentication,所以这里就不生成客户端证书了。
10、将server端证书和密钥都统一放到/etc/openvpn/目录下,方便管理和配置。
#cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
#cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
#cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
#cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
# ls -l
total 40
drwxr-xr-x 2 root root 4096 Aug 19 16:12 auth
-rw------- 1 root root 1135 Aug 20 10:45 ca.crt
drwxr-x--- 2 root openvpn 4096 Apr 21 22:02 client
-rw------- 1 root root 424 Aug 20 10:45 dh.pem
drwxr-xr-x 4 root root 4096 Aug 19 16:27 easy-rsa
drwxr-x--- 2 root openvpn 4096 Apr 21 22:02 server
-rw------- 1 root root 4489 Aug 20 10:46 server.crt
-rw------- 1 root root 1708 Aug 20 10:45 server.key
-rw------- 1 root root 636 Aug 20 10:43 ta.key
五、配置
1、主配文件:/etc/openvpn/server.conf
# cat > /etc/openvpn/server.conf <<EOF
local 0.0.0.0
port 1194
proto udp
dev tun
#dev tap
user openvpn
group openvpn
ca ca.crt
cert server.crt
key server.key
dh dh.pem
##客户端地址池
topology subnet
server 10.8.0.0 255.255.255.0
#内网网段
#push "route 10.0.0.0 255.255.254.0"
#push "route 192.168.10.0 255.255.255.0"
#push "route 192.168.61.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
#下发内网dns,如果不下发内网dns,那么有些内部域名的服务就无法访问
push "dhcp-option DNS 192.168.10.131"
push "dhcp-option DNS 223.5.5.5"
push "redirect-gateway def1 bypass-dhcp"
#心跳检测,10秒检测一次,2分钟内没有回应则视为断线
keepalive 10 120
#服务端值为0,客户端为1
tls-auth ta.key 0
cipher AES-256-CBC
#传输数据压缩
comp-lzo
persist-key
persist-tun
#####
#auth SHA256
#cipher AES-128-GCM
#ncp-ciphers AES-128-GCM
#tls-server
#tls-version-min 1.2
#tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn-status.log
verb 3
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn
/auth/ldap.conf"
verify-client-cert none
EOF
2、配置LDAP认证:/etc/openvpn/auth/ldap.conf
#cat > /etc/openvpn/auth/ldap.conf <<EOF
<LDAP>
# LDAP server URL
URL ldap://test.cn:389 #AD服务器地址
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=interface,cn=users,dc=test,dc=cn #AD账号
# Bind Password
Password XXXXXXX ##AD密码
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals no
# TLS CA Certificate File
##TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
##TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
##TLSCertFile /usr/local/etc/ssl/client-cert.pem
##TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "dc=test,dc=cn" #ADDN
# User Search Filter
#SearchFilter "(&objectclass=OpenVPN)"
SearchFilter "(&(sAMAccountName=%u))" #AD的用户名字段
# Require Group Membership
#RequireGroup false
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "dc=test,dc=cn"
SearchFilter "(|(cn=OpenVPN))" #这个是组属性,设置这个好处是我们给员工开放vpn权限时,只要把需要开放vpn权限的用户加入这个组就可以了,没有加入这个组的就无法访问openvpn
MemberAttribute member
#MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
EOF
#如下图所示,要想给同事开放openvpn权限,只需要把它加入这个组,openvpn的权限就开放了,大大简化IT运维人员的操作。
3、启动服务
systemctl start openvpn@server
systemctl enable openvpn@server
#netstat -lnp|grep openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:
* 14758/openvpn
4、开启内核转发
#echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
#echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
# sysctl -a|grep "net.ipv4.conf.all.forwarding"
net.ipv4.conf.all.forwarding = 1
5、Iptables开启SNAT
#cat >/etc/openvpn/add-iptables-openvpn.sh <<EOF
#!/bin/sh
#10.8.0.0/24为openvpn分配给客户端的地址,openvpn服务中server.conf配置文件中"server 10.8.0.0 255.255.255.0"中指定的
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens192 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens192 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens192 -j ACCEPT
iptables -I INPUT 1 -i ens192 -p udp --dport 1194 -j ACCEPT
EOF
#chmod 755 /etc/openvpn/add-iptables-openvpn.sh
#echo "sh /etc/openvpn/add-iptables-openvpn.sh" >>/etc/rc.d/rc.local
#chmod 755 /etc/rc.d/rc.local
6、客户端配置文件,
#windows下把它存成xxx-vpn.ovpn配置文件,然后下载openvpn client软件安装(NEU-openvpn-2.4.4-client-install-x86_64.exe),然后把配置
文件放到安装后的confg目录下,就可以访问了。
#mac下下把它存成xxx-vpn.ovpn配置文件,下载openvpn client软件安装(Tunnelblick_3.8.5a_build_5671.dmg),安装后把配置文件拖到安装的程
序就可以了。
client
dev tun
#协议与sever保持一致
proto udp
#公司出口公网IP
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
#与server保持一致
comp-lzo
verb 3
#开启密码认证
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
#将server上ca.crt文件内容拷贝过来
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#将server上ta.key文件内容拷贝到这里
-----END OpenVPN Static key V1-----
</tls-auth>
网友评论