OPENVPN with ldap User-Authentication

Aus xinux wiki
Version vom 19. März 2020, 14:42 Uhr von Niklas.guenauer (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=Install= *sudo apt install openvpn openvpn-auth-ldap =Server= ==on ldap server== *samba-tool group add homeoffice *samba-tool user create openvpn W!rkl1cHs3Hr…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

Install

  • sudo apt install openvpn openvpn-auth-ldap

Server

on ldap server

  • samba-tool group add homeoffice
  • samba-tool user create openvpn W!rkl1cHs3HrG3he!m

create and add users to group

  • samba-tool user create hw1 s3HrG3he!m
  • samba-tool group addmembers homeoffice hw1

Create DH Key

  • cd /etc/openvpn
  • openssl dhparam -out dh2048.pem 2048

Place also openvpn-ca.crt openvpn-linux.crt openvpn-linux.key in this directory

Server Config

  • vi /etc/openvpn/homeoffice.conf
dev tun
mode server
tls-server
port 5000
topology subnet
server 172.31.2.0 255.255.255.0
push "route 192.168.95.0 255.255.255.0"
push "dhcp-option DOMAIN vulkan.int"
push "dhcp-option DNS 192.168.95.10"
cipher AES-256-CBC
link-mtu 1542
status /tmp/cool-vpn.status
keepalive 10 30
client-to-client
max-clients 150
verb 3
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/openvpn-ca.crt
cert /etc/openvpn/openvpn-linux.crt
key /etc/openvpn/openvpn-linux.key
client-cert-not-required
compress
persist-key
persist-tun
client-config-dir client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login
script-security 3

auth-ldap.conf

<LDAP>
        URL             ldaps://mero.vulkan.int
        BindDN          "CN=openvpn,CN=Users,DC=vulkan,DC=int"
        Password        "W!rkl1cHs3HrG3he!m"
        Timeout         15
        TLSEnable       no
        # Follow LDAP Referrals (anonymously)
        FollowReferrals no
        # TLS CA Certificate File
        TLSCACertFile   /etc/openvpn/openvpn-ca.crt
</LDAP>

<Authorization>
        BaseDN          "dc=vulkan,dc=int"
        SearchFilter   "(&(sAMAccountName=%u)(memberOf=CN=homeoffice,CN=Users,DC=vulkan,DC=int))"
        RequireGroup    false
</Authorization>

Client

Client Config

port 5000
dev tun0
remote neo.harirbo.net
tls-client
cipher AES-256-CBC
link-mtu 1542
mssfix 1450
pull
compress
verb 3
auth-user-pass
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
place your cacert here
-----END CERTIFICATE-----
</ca>