如何为正在运行的 OpenVPN 服务器添加密码验证?

如何为正在运行的 OpenVPN 服务器添加密码验证?

我已经有一个可以运行的 OpenVPN 服务器,它连接了 25 个分支机构。配置如下。我们公司有外包开发人员,他们需要访问 DMZ 中的服务器。如何在此配置的基础上添加 N 个用户(开发人员)并为他们进行基于密码的身份验证?最好是来自 Active Directory 的用户。

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-server
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
tls-timeout 120
auth SHA1
cipher BF-CBC

server 10.255.1.0 255.255.255.0

client-config-dir /etc/openvpn/ccd

route   10.2.0.0        255.255.0.0
route   10.3.0.0        255.255.0.0
route   10.4.0.0        255.255.0.0
route   10.5.0.0        255.255.0.0
route   10.6.0.0        255.255.0.0
route   10.10.0.0       255.255.0.0
route   10.8.0.0        255.255.0.0
route   10.27.0.0       255.255.0.0
route   10.7.0.0        255.255.0.0
route   10.11.0.0       255.255.0.0
route   10.12.0.0       255.255.0.0
route   10.13.0.0       255.255.0.0
route   10.14.0.0       255.255.0.0
route   10.15.0.0       255.255.0.0
route   10.16.0.0       255.255.0.0
route   10.17.0.0       255.255.0.0
route   10.18.0.0       255.255.0.0
route   10.19.0.0       255.255.0.0
route   10.20.0.0       255.255.0.0
route   10.21.0.0       255.255.0.0
route   10.22.0.0       255.255.0.0
route   10.23.0.0       255.255.0.0
route   10.24.0.0       255.255.0.0
route   10.25.0.0       255.255.0.0
#route  10.255.1.0      255.255.255.0

push "route 10.1.0.0 255.255.254.0"
push "route 10.1.200.0 255.255.255.0"



keepalive 10 120
comp-lzo
max-clients 255
client-to-client
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
mute 20

ifconfig-pool-persist ipp.txt

答案1

您需要使用插件。有一个 auth-ldap 插件,还有一个 auth-pam 插件(我只使用过后者)。相关的配置选项是:

plugin /usr/lib/openvpn/openvpn-plugin-auth-ldap.so <config-file>
username-as-common-name  # These two allow authentication
client-cert-not-required # without a client certificate, if you want
duplicate-cn # Allow the same client cert or same user/password to connect multiple times

差不多就是这样了!

相关内容