我已经有一个可以运行的 OpenVPN 服务器,它连接了 25 个分支机构。配置如下。我们公司有外包开发人员,他们需要访问 DMZ 中的服务器。如何在此配置的基础上添加 N 个用户(开发人员)并为他们进行基于密码的身份验证?最好是来自 Active Directory 的用户。
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-server
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
tls-timeout 120
auth SHA1
cipher BF-CBC
server 10.255.1.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
route 10.2.0.0 255.255.0.0
route 10.3.0.0 255.255.0.0
route 10.4.0.0 255.255.0.0
route 10.5.0.0 255.255.0.0
route 10.6.0.0 255.255.0.0
route 10.10.0.0 255.255.0.0
route 10.8.0.0 255.255.0.0
route 10.27.0.0 255.255.0.0
route 10.7.0.0 255.255.0.0
route 10.11.0.0 255.255.0.0
route 10.12.0.0 255.255.0.0
route 10.13.0.0 255.255.0.0
route 10.14.0.0 255.255.0.0
route 10.15.0.0 255.255.0.0
route 10.16.0.0 255.255.0.0
route 10.17.0.0 255.255.0.0
route 10.18.0.0 255.255.0.0
route 10.19.0.0 255.255.0.0
route 10.20.0.0 255.255.0.0
route 10.21.0.0 255.255.0.0
route 10.22.0.0 255.255.0.0
route 10.23.0.0 255.255.0.0
route 10.24.0.0 255.255.0.0
route 10.25.0.0 255.255.0.0
#route 10.255.1.0 255.255.255.0
push "route 10.1.0.0 255.255.254.0"
push "route 10.1.200.0 255.255.255.0"
keepalive 10 120
comp-lzo
max-clients 255
client-to-client
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
mute 20
ifconfig-pool-persist ipp.txt
答案1
您需要使用插件。有一个 auth-ldap 插件,还有一个 auth-pam 插件(我只使用过后者)。相关的配置选项是:
plugin /usr/lib/openvpn/openvpn-plugin-auth-ldap.so <config-file>
username-as-common-name # These two allow authentication
client-cert-not-required # without a client certificate, if you want
duplicate-cn # Allow the same client cert or same user/password to connect multiple times
差不多就是这样了!