OpenVPN with LDAP Authentication

OpenVPN с LDAP authentication для enterprise remote access deployments с централизованным user management.

Сценарий

Enterprise Remote Access: Сотрудники подключаются к корпоративной сети
LDAP/AD Integration: Централизованная аутентификация
Multi-Platform: Windows, macOS, Linux, iOS, Android clients

VyOS OpenVPN Server Configuration

# OpenVPN Server
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server subnet '10.8.0.0/24'
set interfaces openvpn vtun0 server name-server '10.10.1.1'
set interfaces openvpn vtun0 server domain-name 'company.local'

# TLS
set pki ca OVPN-CA certificate 'MII...'
set pki certificate OVPN-SERVER certificate 'MII...'
set pki certificate OVPN-SERVER private key 'MII...'

set interfaces openvpn vtun0 tls ca-certificate 'OVPN-CA'
set interfaces openvpn vtun0 tls certificate 'OVPN-SERVER'

# LDAP Plugin
set interfaces openvpn vtun0 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap.conf'

commit

LDAP Configuration

/config/auth/ldap.conf:

<LDAP>
  URL             ldap://dc1.company.local
  BindDN          cn=openvpn,ou=Services,dc=company,dc=local
  Password        LDAPPassword123
  Timeout         15
  TLSEnable       yes
  FollowReferrals yes
</LDAP>

<Authorization>
  BaseDN          "ou=Users,dc=company,dc=local"
  SearchFilter    "(&(objectClass=user)(sAMAccountName=%u))"
  RequireGroup    false
</Authorization>

Client Configuration

client
dev tun
proto udp
remote vyos.company.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
cipher AES-256-GCM
verb 3

Users вводят LDAP credentials при подключении.

Ссылки

DMVPN Dual HUB L3VPN Hub-and-Spoke