openvpn+openldap

安装opevpn-auth-ldap

yum install openvpn-auth-ldap

编辑配置文件

[root@web1 auth]# cat  /etc/openvpn/auth/ldap.conf 
<LDAP>
    # LDAP server URL
    URL        ldap://10.1.1.7

    # Bind DN (If your LDAP server doesn't support anonymous binds)
    BindDN        cn=cat,dc=test,dc=com

    # Bind Password
    Password    1234qwer

    # Network timeout (in seconds)
    Timeout        15

    # Enable Start TLS
    TLSEnable    no

    # Follow LDAP Referrals (anonymously)
    FollowReferrals no

    # TLS CA Certificate File
    #TLSCACertFile    /usr/local/etc/ssl/ca.pem

    # TLS CA Certificate Directory
    #TLSCACertDir    /etc/ssl/certs

    # Client Certificate and key
    # If TLS client authentication is required
    #TLSCertFile    /usr/local/etc/ssl/client-cert.pem
    #TLSKeyFile    /usr/local/etc/ssl/client-key.pem

    # Cipher Suite
    # The defaults are usually fine here
    # TLSCipherSuite    ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
    # Base DN
    BaseDN        "ou=People,dc=test,dc=com"

    # User Search Filter
    SearchFilter    "(uid=%u)"

    # Require Group Membership
    RequireGroup    false

    # Add non-group members to a PF table (disabled)
    #PFTable    ips_vpn_users

#    <Group>
#        BaseDN        "ou=Groups,dc=example,dc=com"
#        SearchFilter    "(|(cn=developers)(cn=artists))"
#        MemberAttribute    uniqueMember
#        # Add group members to a PF table (disabled)
#        #PFTable    ips_vpn_eng
#    </Group>
</Authorization>

openvpn服务端配置文件

[root@web1 auth]# cat /opt/openvpn/server.conf
local 118.186.61.82
port 1194
proto udp
dev tun
topology subnet
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
tls-auth keys/ta.key 0
server 10.0.8.0 255.255.255.0
ifconfig-pool-persist    ipp.txt
push "route 10.1.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
cipher AES-256-CBC
verb 3
status logs/openvpn-status.log
log         logs/openvpn.log
log-append  logs/openvpn.log
#plugin /opt/openvpn/openvpn-auth-pam.so    openvpn
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf cn=%u" 
reneg-sec 3600
client-cert-not-required 

客户端配置

client
dev tun
proto udp
remote 118.186.61.82 1194
resolv-retry infinite
remote-random
nobind
persist-key
persist-tun
ca  ca.crt
;cert client1.crt
;key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
ns-cert-type server
auth-user-pass
auth-nocache
remote-cert-tls server
comp-lzo
reneg-sec 3600