我已经在使用连接25个分支的OpenVPN服务器。 configuration如下。 我们公司有外包开发人员,他们需要访问DMZ中的服务器。 如何在这个configuration之上添加N个用户(开发人员)并为他们进行基于密码的身份validation? 更喜欢Active Directory的用户。
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem tls-server tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 tls-timeout 120 auth SHA1 cipher BF-CBC server 10.255.1.0 255.255.255.0 client-config-dir /etc/openvpn/ccd route 10.2.0.0 255.255.0.0 route 10.3.0.0 255.255.0.0 route 10.4.0.0 255.255.0.0 route 10.5.0.0 255.255.0.0 route 10.6.0.0 255.255.0.0 route 10.10.0.0 255.255.0.0 route 10.8.0.0 255.255.0.0 route 10.27.0.0 255.255.0.0 route 10.7.0.0 255.255.0.0 route 10.11.0.0 255.255.0.0 route 10.12.0.0 255.255.0.0 route 10.13.0.0 255.255.0.0 route 10.14.0.0 255.255.0.0 route 10.15.0.0 255.255.0.0 route 10.16.0.0 255.255.0.0 route 10.17.0.0 255.255.0.0 route 10.18.0.0 255.255.0.0 route 10.19.0.0 255.255.0.0 route 10.20.0.0 255.255.0.0 route 10.21.0.0 255.255.0.0 route 10.22.0.0 255.255.0.0 route 10.23.0.0 255.255.0.0 route 10.24.0.0 255.255.0.0 route 10.25.0.0 255.255.0.0 #route 10.255.1.0 255.255.255.0 push "route 10.1.0.0 255.255.254.0" push "route 10.1.200.0 255.255.255.0" keepalive 10 120 comp-lzo max-clients 255 client-to-client user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 3 mute 20 ifconfig-pool-persist ipp.txt 你需要使用一个插件。 有一个auth-ldap插件,也是一个auth-pam插件(我只用了后者)。 相关的configuration选项是:
plugin /usr/lib/openvpn/openvpn-plugin-auth-ldap.so <config-file> username-as-common-name # These two allow authentication client-cert-not-required # without a client certificate, if you want duplicate-cn # Allow the same client cert or same user/password to connect multiple times
这是非常多的!