Openvpn部署

第一步 网上冲浪，查看防火墙端口绑定规则

在网上疯狂的搜索着关于CISCO ASA5515-X的网络配置，查看防火墙中关于公网IP:x.x.x.x与主机之间端口射映关系，因为不断的变更交接人，记录的网络配置信息和文档早已随着时间飞逝了，这时候不免想来句

ciscoasa# show nat
...
ciscoasa# show run object
...

通过查看一波nat 、object 和service 之后，发现了防火墙上配置的Public IP 与内部服务OpenVPN 主机之间端口的映射关系，于是赶紧找几个还有气 的主机进行业务恢复

[root@vpn ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

[root@vpn ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens160"
UUID="aa08d0dd-5ba5-412c-84ab-716b885c4d89"
DEVICE="ens160"
ONBOOT="yes"
IPADDR="172.16.99.129"
PREFIX="24"
GATEWAY="192.168.99.254" # 修改成需要的IP地址
IPV6_PRIVACY="no"
PEERDNS="yes"
DNS1="114.114.114.114"

在找对IP访问的映射关系之后,就是抓紧恢复服务，于是有了下面的安装配置段

yum install openvpn
mkdir /data/tools -p 
wget -P /data/tools https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
tar zxf EasyRSA-3.0.1.tgz
cp -rf EasyRSA-3.0.1 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

./easyrsa init-pki # 初始化证书目录pki
./easyrsa build-ca nopass 
# 创建根证书，提示输入Common Name，名称随意，但是不能和服务端证书或客户端证书名称相同
./easyrsa gen-dh # 生成Diffle Human参数，它能保证密钥在网络中安全传输

./easyrsa init-pki # 初始化证书目录pki

./easyrsa build-server-full server nopass # server是服务端证书名称，可以用其它名称

1. 配置LDAP认证

yum install openvpn-auth-ldap -y
[root@vpn openvpn]# ls -al /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
-rwxr-xr-x 1 root root 133320 Sep  6  2019 /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so

<LDAP>
# LDAP server URL
URL        ldap://192.168.99.130
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN        cn=openvpn,dc=openldap,dc=kubemaster,dc=top
Password    openvpn_Passsword
# Network timeout (in seconds)
Timeout        15
# Enable Start TLS
#TLSEnable    no
# Follow LDAP Referrals (anonymously)
#FollowReferrals no
# TLS CA Certificate File
#TLSCACertFile    /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir    /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile    /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile    /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite    ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
BaseDN        "ou=People,dc=openldap,dc=kubemaster,dc=top"
# User Search Filter
SearchFilter    "(&(uid=%u))"

# Require Group Membership
RequireGroup    false

# Add non-group members to a PF table (disabled)
#PFTable    ips_vpn_users

<Group>
  BaseDN        "ou=Groups,dc=example,dc=com"
  SearchFilter    "(|(cn=developers)(cn=artists))"
  MemberAttribute    uniqueMember
  # Add group members to a PF table (disabled)
  #PFTable    ips_vpn_eng
</Group>
</Authorization>

[root@vpn openvpn]# cat server.conf |egrep -v '^$|^#|^\;'
port 11194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0 # 这里是openvpn server的IP地址池
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 114.114.114.114" # 下发给客户端的DNS
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
max-clients 50
user root
group root
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3
mute 10
client-cert-not-required
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
username-as-common-name
push "route 192.168.0.0 255.255.0.0"
push "route 192.168.99.0 255.255.255.0" # 下发给客户端的需要走VPN的网络流量，其它网段不走VPN，可正常上网。

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o ens160 -j MASQUERADE # 网络设备为ens160

#!/bin/bash
echo "OpenVPN ..........[STOP]"
ps -ef |grep openvpn | grep -v grep | awk '{print $2}' | xargs kill
echo "OpenVPN ..........[START]"
/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &

/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf > /dev/null 2>&1 &
exit 0

# 把服务器上这三个文件拷贝下来和客户端的配置文件放在一起
/etc/openvpn/easy-rsa/pki/private/barry.key
/etc/openvpn/easy-rsa/pki/issued/barry.crt
/etc/openvpn/easy-rsa/pki/ca.crt
# 客户端配置文件内容
client
dev tun
proto tcp
resolv-retry infinite
nobind
remote PUBLIC_ADDRESS 11194 # 就是与192.168.99.129上的11194绑定的那个公网IP地址
persist-key
persist-tun
ca ca.crt
ns-cert-type server
cert barry.crt
key barry.key
verb 3 # 日志等级
comp-lzo
auth-user-pass

这样基本上就完成了OpenVPN的搭建部署

这是真的干货，感谢分享。

这个。。。。搞不来

干货

好复杂，好牛逼