OpenVPN伺服器: 系統: Centos8 IP: 10.0.0.10/24 AD驗證伺服器(dc): Windows 2012 DC (網域功能等級 2003) 網域: mydomain.com 主機FQDN: dc.mydomain.com 憑證伺服器(caserver): Windows 2003 CA 加密方式SHA1 主機FQDN: caserver.mydomain.com
1. 安裝OpenVPN , 使用路由模式(原生android client不支援 TAP橋接模式)# 安裝EPEL軟體庫 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf config-manager --set-enabled PowerTools dnf repolist epel # 安裝 git dnf -y install git cd ~ # 從github下載安裝命令檔 git clone https://github.com/Nyr/openvpn-install.git cd openvpn-install/ chmod +x openvpn-install.sh # 執行安裝檔 ./openvpn-install.sh
接下來依指示輸入你的設定值, 完成後自動產生設定檔 修改 /etc/openvpn/server/server.conf 讓OpenVPN支援PAMlocal 10.0.0.10 #主機IP port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.0.0.1" keepalive 10 120 cipher AES-256-CBC user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem explicit-exit-notify plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login #啟用PAM驗證, 使用預設設定檔/etc/pam.d/login
重新啟動openvpnsystemctl restart openvpn-server@server
修改Client 端的預設值, 由於用戶端要使用與主機不同網段10.1.0.0/24的資源故需要增加路由 /etc/openvpn/server/client-common.txtclient dev tun proto udp remote 1.2.3.4 1194 # 外部實體IP resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC ignore-unknown-option block-outside-dns block-outside-dns auth-user-pass # 除了openvpn本身的金鑰驗證, 另外開啟AD使用者帳號密碼驗證 verb 3 route 10.1.0.0 255.255.255.0 10.0.0.253 # 增加通往10.1.0.0/24網斷路由, 網關為10.0.0.253
更改完成後重新執行安裝命令產生新的client端 .ovpn 設定檔./openvpn-install.sh
過程中選 Add a new user, 至於第一次產生的user設定可以選擇 Revoke an existing user 移除掉. 產生的 .ovpn 檔會在/root資料夾下 2. 取得網域憑證伺服器的Public key ,通常會在以下位址且檔名類似 \\caserver\CertEnroll\caserver_MYDOMAIN Root Certification Authority.crt 使用cifs工具掛載目錄後 下載到centos8上並轉為PEM格式# 掛載cifs, server2003使用smb1.0所以參數須加上vers=1.0 mount.cifs //ca_server/CertEnroll /mnt/cifs -o user=administrator,pass=password,dom=mydomain,vers=1.0 cp /mnt/cifs/xxxx.crt xxxx.crt # 將der 轉換為 pem openssl x509 -inform der -in xxxx.crt -out xxxx.pem # 搬移到 trust資料夾 mv xxxx.pem /etc/pki/ca-trust/source/anchors # 將憑證更新至主機信任憑證裡 update-ca-trust
3. 設定sssd 連接 Active Directory 修改/etc/sssd/sssd.conf[sssd] services = nss, pam, ssh config_file_version = 2 domains = mydomain [sudo] [nss] [pam] offline_credentials_expiration = 60 [domain/mydomain] cache_credentials = True ldap_search_base = dc=mydomain,dc=com id_provider = ldap ldap_uri = ldaps://dc.mydomain.com:636 #AD主機, 使用ssl協定連線 ldap_schema = AD ldap_default_bind_dn = cn=administrator,cn=users,dc= mydomain,dc=com # 這裡為了方便使用管理員帳號, 為安全起見可以使用唯讀的網域帳號 ldap_default_authtok = password_for_administrator # 管理員密碼 ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_id_mapping = True ldap_referrals = false enumerate = False fallback_homedir = /home/%u default_shell = /bin/bash
修改 /etc/openlap/ldap.confURI ldaps://dc.mydomain.com:636 base dc=mydomain,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt SASL_NOCANON on
強制啟用sssdauthselect select sssd –force systemctl enable --now sssd systemctl restart sssd
由於Windows 2003 CA仍使用舊版SHA1, 因此需要改crypto政策update-crypto-policies --set LEGACY
完成後重新開機 4. 防火牆上設定允許連向1.2.3.4 UDP1194的流量並引導至內部10.0.0.10 5. 用戶端安裝OpenVPN Client軟體後匯入.ovpn檔 Windows7/8/10 Client: OpenVPN-GUI (嘗試過OpenVPN Connect for Windows無法匯入.ovpn) iOS/Android Client: OpenVPN Connect 參考資料: https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/ https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8 https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5