如何使用 Synology OpenVPN + Radius 插件进行身份验证?

tag-icon tag-icon vpn openvpn site-to-site-vpn radius dsm
如何使用 Synology OpenVPN + Radius 插件进行身份验证?

我想要双重身份验证:OpenVPN 中的基于证书的身份验证以及通过服务器上提供的 Radius 插件进行用户/密码身份验证(Synology NAS DS2016play 和 DSM 6.2.3-25426)。客户端是安装了 OpenVPN 的 Raspberry PI 4

这有效,但由于 Radius-Plugin 故障,每小时我都会断线 15-20 分钟。我认为这与每小时的 TLS 重新握手有关,但我不想通过禁用该功能来降低安全性。

相反,问题似乎出在插件使用的 IP 地址上。它是外部地址,那里的路由器只打开了 OpenVPN 的 1194 端口。为什么 Radius 不使用本地 IP 地址,我该如何更改?

我有哪些选项可以避免这种停机?

/var/log/消息:

    2020-06-08T09:56:52+02:00 NAS_D openvpn[8731]: vpn/xx.xxx.xxx.xxx:38874 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /var/packages/VPNCenter/target/lib/radiusplugin.so
    2020-06-08T09:56:52+02:00 NAS_D openvpn[8731]: vpn/xx.xxx.xxx.xxx:38874 TLS Auth Error: Auth Username/Password verification failed for peer
    2020-06-08T09:57:53+02:00 NAS_D openvpn[8731]: vpn/xx.xxx.xxx.xxx:38874 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xx.xxx.xxx.xxx:38874 [1]
    ...

/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf.user

dev tun
proto udp

management 127.0.0.1 1194

server 192.168.3.0 255.255.255.0

route 192.168.178.0 255.255.255.0

push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"

max-clients 4

push "sndbuf 0"
push "rcvbuf 0"
sndbuf 0
rcvbuf 0

client-config-dir /usr/syno/etc/packages/VPNCenter/openvpn/ccd
client-to-client
topology subnet

#ifconfig-pool 192.168.3.10 192.168.3.100 255.255.255.0

dh /usr/syno/etc/packages/VPNCenter/custom_certs/dh4096.pem
ca /usr/syno/etc/packages/VPNCenter/custom_certs/CA.crt
cert /usr/syno/etc/packages/VPNCenter/custom_certs/Server.crt
key /usr/syno/etc/packages/VPNCenter/custom_certs/Server.key

comp-lzo no
fast-io

cipher AES-256-CBC
prng SHA512 64
auth SHA512
tls-version-min 1.2
tls-auth /usr/syno/etc/packages/VPNCenter/custom_certs/ta.key
key-direction 0
remote-cert-tls client

persist-tun
persist-key

verb 5
#verb 0

#log-append /var/log/openvpn.log

keepalive 10 60
#Comment out to re-negotiate TLS connection every hour
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
username-as-common-name

客户端配置

remote xx.xxx.xxx.xxx 1194

nobind

float
topology subnet
connect-retry 60
ping-restart 90
mtu-test
auth-retry nointeract
verify-x509-name Server name

dev tun

proto udp

pull

tls-client

remote-cert-tls server

cipher AES-256-CBC

prng SHA512 64

auth SHA512

tls-version-min 1.2

fast-io

comp-lzo no

auth-user-pass /etc/openvpn/credentials

#auth-nocache

<tls-auth>
...
key-direction 1

<cert>
...

<key>
...

<ca>
...

相关内容