LAB Linux in heterogenen Netzen OPENVPN mit LDAP User-Authentication
Zur Navigation springen
Zur Suche springen
Installation auf der Firewall
- sudo apt install openvpn openvpn-auth-ldap
Zum Testen
- sudo apt install ldap-utils
Auf dem Domain Controller
- Gruppe vpnuser erstellen
- Benutzer die VPN nutzen sollen hinzufügen
- Benutzer vpnservice erstellen
Server
Create DH Key
- cd /etc/openvpn
- openssl dhparam -out dh2048.pem 2048
Zertifikate
- Wir brauchen eine ca.crt, ein firewall.lab34.linuggs.crt und einen firewall.lab34.linuggs.de.key
- Kann man beispielsweise so erledigen.
Zertifikate für openvpn
Server Config
- vi /etc/openvpn/homeoffice.conf
dev tun mode server tls-server port 1194 topology subnet server 172.31.2.0 255.255.255.0 push "route 172.26.52.0 255.255.252.0" push "dhcp-option DOMAIN lab34.linuggs.de" push "dhcp-option DNS 172.26.54.2" cipher AES-256-CBC data-ciphers AES-256-CBC link-mtu 1542 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh2048.pem ca /etc/openvpn/ca.crt cert /etc/openvpn/firewall.lab34.linuggs.de.crt key /etc/openvpn/firewall.lab34.linuggs.de.key verify-client-cert none compress persist-key persist-tun client-config-dir client username-as-common-name plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login script-security 3
Wir brauchen die CA-cert der ADS
- Irgendwie besorgen
- cp /home/kit/lab34-ca.cer /etc/openvpn/lab34-ca.crt
- cp /home/kit/lab34-ca.cer /etc/ldap/lab34-ca.crt
Kleine Anpassungen
- Wir müssen den Domaincontroller auflösen können
- cat /etc/resolv.conf
nameserver 172.26.54.2 nameserver 2a02:24d8:71:3036::2 search lab34.linuggs.de
- Zum Testen der Ldap Verbindung
- cat /etc/ldap/ldap.conf
BASE dc=lab34,dc=linuggs,dc=de URI ldaps://win2022.lab34.linuggs.de LDAPDEBUG 1 TLS_CACERT /etc/ldap/lab34-ca.crt
In welchen Gruppe ist Rudi?
- ldapsearch -LLL -x -D cn=vpnservice,cn=Users,dc=lab34,dc=linuggs,dc=de -w 12345-Xinux -b dc=lab34,dc=linuggs,dc=de "(cn=rudi)" memberOf
dn: CN=rudi,CN=Users,DC=lab34,DC=linuggs,DC=de memberOf: CN=vpnuser,CN=Users,DC=lab34,DC=linuggs,DC=de memberOf: CN=mailuser,CN=Users,DC=lab34,DC=linuggs,DC=de memberOf: CN=gg_wiki,CN=Users,DC=lab34,DC=linuggs,DC=de
auth-ldap.conf
<LDAP>
URL ldaps://win2022.lab34.linuggs.de
BindDN "cn=vpnservice,cn=Users,dc=lab34,dc=linuggs,dc=de"
Password "12345-Xinux"
Timeout 15
TLSEnable no
FollowReferrals no
TLSCACertFile /etc/openvpn/lab34-ca.crt
</LDAP>
<Authorization>
BaseDN "dc=lab34,dc=linuggs,dc=de"
SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=vpnuser,CN=Users,DC=lab34,DC=linuggs,DC=de))"
RequireGroup false
</Authorization>
Client
Client Config
- vi /etc/openvpn/client.ovpn
port 1194 dev tun0 remote 172.30.34.14 tls-client cipher AES-256-CBC link-mtu 1542 mssfix 1450 pull compress verb 3 auth-user-pass setenv CLIENT_CERT 0 <ca> -----BEGIN CERTIFICATE----- MIIFBzCCAu+gAwIBAgIUSn+kWZSfFgfj/ZXnzsNaW2JjE3wwDQYJKoZIhvcNAQEL BQAwEzERMA8GA1UEAwwIbGFiMzQtY2EwHhcNMjQxMDA2MTQxNzUwWhcNMzQxMDA0 MTQxNzUwWjATMREwDwYDVQQDDAhsYWIzNC1jYTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAKxUhyXOBugFSdKTyjDm46j2UktuLaRjOWHKeIVu7/FSdnXV yXFduYIY+1xipVyYNeTDTjBWhs4XyklL7Q+IBF0/vuWnr7UfZk2cDwEVLr1FqTri TsoYjS3mtQji+B7DOp8BmeJwTTGZg4WKR4mas9WXafr76TQp9WOUvmLqDG95MTrt uaoZkqMvVHYOe/Jvw97WEMSX4oUsyyPinoQaLYVFQcnwV9P2+jNw+FeUK66j0cyw oZeh7AjORe8/HsI8PkrughbOcgJypiWOR3D5G7IwvWAj2JUvX1nPuz7enRgRRTNJ uDoKMfrxy7E0U5T1YY0qxLBEnbrQpAsDeBLoHa70BsbLsydS/s4OcR+1Wxu3LBw6 /NNJ9bVz5dXDQu0hWlGV3YOIN5oEFrcHW8YTPZ64Msg9MnpSDWYaj5iPeNlomgBb Un5Qy7qlE6weDGaOb7kL2jla/WhMMCzm4GptKPXJN0pUfuCsQloQeWrHMHsPOwS+ cV7E+YSkVncdINCmqgotmK1fgxVeQQYGAi+FeF6tpOggiq5pdIPYXsD7ON2LD9DC C0/rx95EZ3du2PJZ9fz8Zyy3m3S7bxP+iuvN+4tuoG/IpeiABs34od0TaYfTn0uv mM+pM9U+vLdT/6LENBWKNboeD14/xXE08UX5EmdrU2k8uzSjqum2zx0EDLElAgMB AAGjUzBRMB0GA1UdDgQWBBQ0QK/RzgBszMrBb9qCNGeJnj5EpTAfBgNVHSMEGDAW gBQ0QK/RzgBszMrBb9qCNGeJnj5EpTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 DQEBCwUAA4ICAQBsxsniHuDKq+lbuqo5WsJSxOnpXJd5TartYZatsX9+V9zMb0MK KMiWOlN0yb2ZFyDAlb8hxZLLsM1QOeqkkPlhSM5r+lVsrgdQJkSE9iFsZSx9yBGo yb8isVh6sjkoMRFi6vRqoMGJ+WS41m24nclEx1CpC2EBDxuYamF96cS2Q9EbNh2U 0BZ2XnB4jhsjtFVfMFSxgCyJXmPiHbAzsP0NIn74VPec4WD7sqHwRcqw9D6RRbmz HNgCddhbYi1+uX+caAgXs8AtuutAsC0iEjjKJDkYV/R8HeyKfPvW+UQlkEykL9gZ 1HPoXRHvWLUWBrku5WHEI4QP7iW5LRmZaRAGjHo1tEenQAsUO6MFbk5FPdysjuUP QTzPtQ3yOOBtndrF8Nq8EQKYtZ6vJ36GKoCP2Dz1CEESWpoGGRYIIsqqCLKDt1Xi 4iNGmPSY31NaiDhgDKsB219sYYjW34jeqnwwyd6O4vTxB39nPObCrQTh6j8ncFjk B5gh+xL9vzYxfsIW2Vo7Gw60ZbILqmPt8XpOgPvvDkrdR7+Lz2N12NcD8WnBwS06 dB5InysjmRmR4MoV7+whD2MlNENQDv58Ls4cPIsepSIX8Q6TxgWIM98qbswLt6zy bGzxWt004OjQcrCaieCTEiIZJs3ySleOEb993+VRJPrcmmMD+0MlXLKaDg== -----END CERTIFICATE----- </ca>
Erster Test
- firewall
- openvpn --config /etc/openvpn/homeoffice.conf
2024-10-06 17:00:15 Note: '--allow-compression' is not set to 'no', disabling data channel offload. 2024-10-06 17:00:15 Consider using the '--compress migrate' option. ... ... 2024-10-06 17:01:37 IFCONFIG POOL IPv4: base=172.31.2.2 size=253 2024-10-06 17:01:37 Initialization Sequence Complete
- client
- sudo openvpn --config client.ovpn
2024-10-06 17:14:04 Note: '--allow-compression' is not set to 'no', disabling data channel offload. 2024-10-06 17:14:04 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 2024-10-06 17:14:04 library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10 2024-10-06 17:14:04 DCO version: N/A Enter Auth Username: rudi Enter Auth Password: *********** 2024-10-06 17:14:10 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2024-10-06 17:14:10 TCP/UDP: Preserving recently used remote address: [AF_INET]172.30.34.14:1194 ... ... ... 2024-10-06 17:14:10 Initialization Sequence Completed
Wenn alles gut ist
- systemctl enable openvpn --now
Weiter
- Grafischer Client unter Windows oder Linux installieren und Testen