Authenticate OpenVPN using LDAP

Jan 11, 2022 · 2 min read · vpn openvpn ·

Share on:

Evergreen Note

Question :: 這篇文章主要在做什麼?

Answer :: 公司人數增加, 要使用 VPN 的人變多, 若每個人的 .open 檔案都手動生成的話, 在管理上會有點麻煩. 所以這邊讓 OpenVPN 透過 LDAP 去認證用戶是否可以使用 VPN.

Summary

建立完 OpenVPN([[openvpn-install]]) 後, 安裝 LDAP 套件跟配置設定, 使 OpenVPN 登入時可以使用 LDAP 做認證.

Note

Configure OpenVPN for LDAP authentication

 1# 需要安裝 openvpn-auth-ldap library
 2root@vpn:/opt/vpn# apt-get install -y openvpn-auth-ldap
 3
 4# 查看 .so 檔案是否存在
 5root@vpn:/opt/vpn# ls /usr/lib/openvpn/openvpn-auth-ldap.so
 6/usr/lib/openvpn/openvpn-auth-ldap.so
 7
 8root@vpn:/opt/vpn# mkdir /etc/openvpn/auth
 9root@vpn:/opt/vpn# cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth/auth-ldap.conf
10
11# 將設定配置到 OpenVPN server configuration file
12root@vpn:/opt/vpn# echo "plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf" >> /etc/openvpn/server.conf

配置 /etc/openvpn/auth/auth-ldap.conf 檔案。這邊要自行創建 /usr/local/etc/ssl 內的憑證, 可以參考 references。

 1<LDAP>
 2        # LDAP server URL
 3        URL             ldap://ldap.example.com
 4
 5        # Bind DN (If your LDAP server doesn't support anonymous binds)
 6        BindDN          uid=admin, cn=users, cn=accounts, dc=example, dc=com
 7
 8        # Bind Password
 9        Password        password
10
11        # Necomork timeout (in seconds)
12        Timeout         15
13
14        # Enable Start TLS
15        TLSEnable       yes
16
17        # Follow LDAP Referrals (anonymously)
18        FollowReferrals yes
19
20        # TLS CA Certificate File
21        TLSCACertFile   /usr/local/etc/ssl/ca-certificates.crt
22
23        # TLS CA Certificate Directory
24        TLSCACertDir    /etc/ssl/certs
25
26        # Client Certificate and key
27        # If TLS client authentication is required
28        TLSCertFile     /usr/local/etc/ssl/ca.cert.pem
29        TLSKeyFile      /usr/local/etc/ssl/ca.key
30</LDAP>
31
32<Authorization>
33        # Base DN
34        BaseDN          "cn=users, cn=accounts, dc=example, dc=com"
35
36        # User Search Filter
37        SearchFilter    "(uid=%u)"
38
39        # Require Group Membership
40        RequireGroup    true
41
42        <Group>
43                BaseDN          "cn=groups, cn=accounts, dc=example, dc=com"
44                SearchFilter    "(|(cn=admin)(cn=vpn)(cn=ipausers))"
45                MemberAttribute member
46        </Group>
47</Authorization>

配置完成後, 重新啟動 OpenVPN 服務。

1root@vpn:/opt/vpn# systemctl restart openvpn

編輯組態檔案

編輯一下之前透過腳本 ./openvpn-install.sh 建立的 .open file. 加入 auth-user-pass 參數, 讓使用者在登入的時候使用 LDAP 的帳密.

1client
2proto udp
3・・・
4remote vpn.example.com 1194
5auth-user-pass
6・・・