OpenVPN CE 与 Google 安全 LDAP 集成中的 TLS 错误

Question

我已将我的 OpenVPN 服务器配置为使用 google 安全 LDAP 进行身份验证（关注 Document）

这是我的 auth-ldap.conf 文件：

<LDAP>
    URL     ldaps://ldap.google.com:636
    Timeout     15
    TLSEnable   no
    FollowReferrals yes

    # Google LDAP Client Certificate and key
    TLSCertFile /home/devops/G-LDAP-Certificates/Google_ldap.crt
    TLSKeyFile  /home/devops/G-LDAP-Certificates/Google_ldap.key
</LDAP>
<Authorization>
    BaseDN      "ou=Users,dc=example,dc=com"
    SearchFilter    "(&(uid=%u)(accountStatus=active))"
    RequireGroup    false
    <Group>
        BaseDN      "ou=Groups,dc=example,dc=com"
    </Group>
</Authorization>

这是我的 OpenVPN server.conf：

local 10.12.0.1
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.248.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.12.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.141.2.4"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
management localhost 5555
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional

这是我的客户端配置client.opvn

dev tun
auth-user-pass
proto udp
remote 10.12.0.1 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-------
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-------
</cert>
<key>
-----BEGIN KEY-------------
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END KEY---------------
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

输入用户名和密码时出现以下错误：

LDAP search failed: Can't contact LDAP server
LDAP user "ashwani.pal" was not found.
Mon Dec  2 07:03:54 2019 10.10.10.1:2178 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec  2 07:03:54 2019 10.10.10.1:2178 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Mon Dec  2 07:03:54 2019 10.10.10.1:2178 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Dec  2 07:03:54 2019 10.10.10.1:2178 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-CBC'
Mon Dec  2 07:03:54 2019 10.10.10.1:2178 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Dec  2 07:03:55 2019 10.10.10.1:2178 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Dec  2 07:03:55 2019 10.10.10.1:2178 [mac-client-poc] Peer Connection Initiated with [AF_INET]10.10.10.1:2178
Mon Dec  2 07:03:55 2019 10.10.10.1:2178 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec  2 07:03:55 2019 10.10.10.1:2178 Delayed exit in 5 seconds
Mon Dec  2 07:03:55 2019 10.10.10.1:2178 SENT CONTROL [mac-client-poc]: 'AUTH_FAILED' (status=1)
Mon Dec  2 07:04:00 2019 10.10.10.1:2178 SIGTERM[soft,delayed-exit] received, client-instance exiting
Mon Dec  2 09:20:27 2019 10.10.10.1:46381 TLS: Initial packet from [AF_INET]185.200.118.85:46381, sid=12121212 12121212
Mon Dec  2 09:21:27 2019 10.10.10.1:46381 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

我不知道究竟是什么导致了这里的问题，即使我也测试了与 ldapsearch 的 LDAP 身份验证连接并且它工作正常。

仅供参考：如果没有安全的 LDAP 配置，我的 OpenVPN 服务器将允许客户端使用客户端密钥和证书进行连接。

谢谢

Answer 1

我不确定这个设置到底是什么原因，但我已经通过使用 Stunnel 作为代理来修复它。

添加Reference document from Google

完成此配置后，我的 OpenVPN-CE 可与 Google Secure LDAP 完美配合