OpenVPN CE 与 Google 安全 LDAP 集成中的 TLS 错误
TLS Error in OpenVPN CE integration with Google secure LDAP
我已将我的 OpenVPN 服务器配置为使用 google 安全 LDAP 进行身份验证(已关注 Document)
这是我的 auth-ldap.conf 文件:
<LDAP>
URL ldaps://ldap.google.com:636
Timeout 15
TLSEnable no
FollowReferrals yes
# Google LDAP Client Certificate and key
TLSCertFile /home/devops/G-LDAP-Certificates/Google_ldap.crt
TLSKeyFile /home/devops/G-LDAP-Certificates/Google_ldap.key
</LDAP>
<Authorization>
BaseDN "ou=Users,dc=example,dc=com"
SearchFilter "(&(uid=%u)(accountStatus=active))"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
</Group>
</Authorization>
这是我的 OpenVPN server.conf :
local 10.12.0.1
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.248.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.12.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.141.2.4"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
management localhost 5555
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
这是我的客户端配置client.opvn
dev tun
auth-user-pass
proto udp
remote 10.12.0.1 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-------
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-------
</cert>
<key>
-----BEGIN KEY-------------
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END KEY---------------
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
输入用户名和密码时出现以下错误:
LDAP search failed: Can't contact LDAP server
LDAP user "ashwani.pal" was not found.
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-CBC'
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 [mac-client-poc] Peer Connection Initiated with [AF_INET]10.10.10.1:2178
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 Delayed exit in 5 seconds
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 SENT CONTROL [mac-client-poc]: 'AUTH_FAILED' (status=1)
Mon Dec 2 07:04:00 2019 10.10.10.1:2178 SIGTERM[soft,delayed-exit] received, client-instance exiting
Mon Dec 2 09:20:27 2019 10.10.10.1:46381 TLS: Initial packet from [AF_INET]185.200.118.85:46381, sid=12121212 12121212
Mon Dec 2 09:21:27 2019 10.10.10.1:46381 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
我不知道到底是什么导致了这里的问题,即使我也用 ldapsearch 测试了 LDAP 身份验证连接并且它工作正常。
仅供参考: 如果没有安全的 LDAP 配置,我的 OpenVPN 服务器允许客户端使用客户端密钥和证书进行连接。
谢谢
我不确定此设置的确切原因是什么,但我已使用 Stunnel 作为代理.
修复了它
添加 Reference document from Google
此配置后,我的 OpenVPN-CE 可以与 Google 安全 LDAP
一起正常工作
我已将我的 OpenVPN 服务器配置为使用 google 安全 LDAP 进行身份验证(已关注 Document)
这是我的 auth-ldap.conf 文件:
<LDAP>
URL ldaps://ldap.google.com:636
Timeout 15
TLSEnable no
FollowReferrals yes
# Google LDAP Client Certificate and key
TLSCertFile /home/devops/G-LDAP-Certificates/Google_ldap.crt
TLSKeyFile /home/devops/G-LDAP-Certificates/Google_ldap.key
</LDAP>
<Authorization>
BaseDN "ou=Users,dc=example,dc=com"
SearchFilter "(&(uid=%u)(accountStatus=active))"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
</Group>
</Authorization>
这是我的 OpenVPN server.conf :
local 10.12.0.1
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.248.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.12.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.141.2.4"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
management localhost 5555
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
这是我的客户端配置client.opvn
dev tun
auth-user-pass
proto udp
remote 10.12.0.1 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-------
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-------
</cert>
<key>
-----BEGIN KEY-------------
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END KEY---------------
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
输入用户名和密码时出现以下错误:
LDAP search failed: Can't contact LDAP server
LDAP user "ashwani.pal" was not found.
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-CBC'
Mon Dec 2 07:03:54 2019 10.10.10.1:2178 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 [mac-client-poc] Peer Connection Initiated with [AF_INET]10.10.10.1:2178
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 Delayed exit in 5 seconds
Mon Dec 2 07:03:55 2019 10.10.10.1:2178 SENT CONTROL [mac-client-poc]: 'AUTH_FAILED' (status=1)
Mon Dec 2 07:04:00 2019 10.10.10.1:2178 SIGTERM[soft,delayed-exit] received, client-instance exiting
Mon Dec 2 09:20:27 2019 10.10.10.1:46381 TLS: Initial packet from [AF_INET]185.200.118.85:46381, sid=12121212 12121212
Mon Dec 2 09:21:27 2019 10.10.10.1:46381 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
我不知道到底是什么导致了这里的问题,即使我也用 ldapsearch 测试了 LDAP 身份验证连接并且它工作正常。
仅供参考: 如果没有安全的 LDAP 配置,我的 OpenVPN 服务器允许客户端使用客户端密钥和证书进行连接。
谢谢
我不确定此设置的确切原因是什么,但我已使用 Stunnel 作为代理.
修复了它添加 Reference document from Google
此配置后,我的 OpenVPN-CE 可以与 Google 安全 LDAP
一起正常工作