OPENVPN with ldap User-Authentication
Version vom 19. März 2020, 13:42 Uhr von Niklas.guenauer (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=Install= *sudo apt install openvpn openvpn-auth-ldap =Server= ==on ldap server== *samba-tool group add homeoffice *samba-tool user create openvpn W!rkl1cHs3Hr…“)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Install
- sudo apt install openvpn openvpn-auth-ldap
Server
on ldap server
- samba-tool group add homeoffice
- samba-tool user create openvpn W!rkl1cHs3HrG3he!m
create and add users to group
- samba-tool user create hw1 s3HrG3he!m
- samba-tool group addmembers homeoffice hw1
Create DH Key
- cd /etc/openvpn
- openssl dhparam -out dh2048.pem 2048
Place also openvpn-ca.crt openvpn-linux.crt openvpn-linux.key in this directory
Server Config
- vi /etc/openvpn/homeoffice.conf
dev tun mode server tls-server port 5000 topology subnet server 172.31.2.0 255.255.255.0 push "route 192.168.95.0 255.255.255.0" push "dhcp-option DOMAIN vulkan.int" push "dhcp-option DNS 192.168.95.10" cipher AES-256-CBC link-mtu 1542 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh2048.pem ca /etc/openvpn/openvpn-ca.crt cert /etc/openvpn/openvpn-linux.crt key /etc/openvpn/openvpn-linux.key client-cert-not-required compress persist-key persist-tun client-config-dir client username-as-common-name plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login script-security 3
auth-ldap.conf
<LDAP> URL ldaps://mero.vulkan.int BindDN "CN=openvpn,CN=Users,DC=vulkan,DC=int" Password "W!rkl1cHs3HrG3he!m" Timeout 15 TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File TLSCACertFile /etc/openvpn/openvpn-ca.crt </LDAP> <Authorization> BaseDN "dc=vulkan,dc=int" SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=homeoffice,CN=Users,DC=vulkan,DC=int))" RequireGroup false </Authorization>
Client
Client Config
port 5000 dev tun0 remote neo.harirbo.net tls-client cipher AES-256-CBC link-mtu 1542 mssfix 1450 pull compress verb 3 auth-user-pass setenv CLIENT_CERT 0 <ca> -----BEGIN CERTIFICATE----- place your cacert here -----END CERTIFICATE----- </ca>