安装
yum install -y openvpn openvpn-auth-ldap
配置
证书
关于生成证书请参考 VPN-基于 OpenVPN 构建
/etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/BJ.crt
key /etc/openvpn/easy-rsa/keys/BJ.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 172.16.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
duplicate-cn
keepalive 5 60
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "dhcp-option DNS 8.8.8.8"
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf uid=%u "
client-cert-not-required
username-as-common-name
/etc/openvpn/auth/ldap.conf
<LDAP>
URL ldaps://dir.example.com:636
BindDN uid=apps,ou=Operations,ou=People,dc=example,dc=com
Password changeme
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "dc=example,dc=com"
SearchFilter "(uid=%u)"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
</Group>
</Authorization>
/etc/openldap/ldap.conf
最后追加一行
TLS_REQCERT never
与桥接模式集成
openvpn-auth-ldap 不支持桥接模式,需要打 patch 才能正常工作,具体参考这里