OPNsense OpenVPN: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 159: Zeile 159:
 
****Instances
 
****Instances
 
*****+
 
*****+
 
+
{| class="wikitable"
 
+
! Feld !! Wert
 
+
|-
[[Datei:Opnsense-openvpn-14.png]]
+
| Enforce local group || None
 +
|-
 +
| Strict User/CN Matching || ☐
 +
|-
 +
| Renegotiate time ||
 +
|-
 +
| Auth Token Lifetime ||
 +
|-
 +
| Local Network || 10.81.0.0/16
 +
|-
 +
| Remote Network ||
 +
|-
 +
| Options || Nothing selected
 +
|-
 +
| Push Options || Nothing selected
 +
|-
 +
| Redirect gateway || Nothing selected
 +
|-
 +
| Register DNS || ☐
 +
|-
 +
| DNS Default Domain || xinux.org
 +
|-
 +
| DNS Domain search list ||
 +
|-
 +
| DNS Servers || 10.81.0.2
 +
|-
 +
| NTP Servers ||
 +
|}
  
 
=Firewall Regeln=
 
=Firewall Regeln=

Version vom 22. August 2025, 15:03 Uhr

Vorab

  • Wir sollten immer nur SSL/TLS nutzen
  • Dazu müssen wir den DC per Namen auflösen können.
  • Und wir brauchen sein Stammzertifikat

Die User kommen von der ADS

  • User haben entwder das Attribut
    • SamAccountName

oder

    • uid
In der Domain muss ein Binduser und eine Gruppe angelegt sein
  • Gruppe: vpnuser
  • Binduser: ldapuser

Server anlegen

  • System
    • Access
      • Servers
Feld Wert
Descriptive name openvpn-user
Type LDAP
Hostname or IP address win2022.lab.int
Port value 636
Transport SSL - Encrypted
Protocol version 3
Bind credentials cn=ldapuser,ou=Service,dc=lab,dc=int
Password 123Start$
Search scope Entire Subtree
Base DN dc=lab,dc=int
Authentication containers cn=users,dc=lab,dc=int
Extended Query memberOf=cn=vpnusers,cn=groups,dc=lab,dc=int
User naming attribute uid
Read properties
Synchronize groups
Constraint groups
Limit groups Nothing selected
Automatic user creation
Match case insensitive

CA erstellen

  • System
    • Trust
      • Authorities
        • +
Feld Wert
Description opnsense-xin-ca
Key type RSA-2048
Digest Algorithm SHA256
Issuer self-signed
Lifetime (days) 825
Country Code Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name opnsense-xin-ca
OCSP uri

Cert für den Openvpn Server erstellen

  • System
    • Trust
      • Certificates
        • +
Feld Wert
Method Create an internal Certificate
Description openserver-cert
Type Server Certificate
Private key location Save on this firewall
Key type RSA-2048
Digest Algorithm SHA256
Issuer opnsense-xin-ca
Lifetime (days) 1825
Country Code Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name opnsense-zw.tuxmen.de
OCSP uri

Konfiguration

Static Key generieren
  • VPN
    • OpenVPN
      • Instances
        • Static Keys
          • +

Wir wählen Auth als Crypt

  • Auf das Zahnrad klicken
Feld Wert
Description unser-key
Mode crypt (Encrypt and authenticate)
Static Key # 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)
Dern Server konfigurieren
  • VPN
    • OpenVPN
      • Instances
        • Instances
          • +
Feld Wert
Enforce local group None
Strict User/CN Matching
Renegotiate time
Auth Token Lifetime
Local Network 10.81.0.0/16
Remote Network
Options Nothing selected
Push Options Nothing selected
Redirect gateway Nothing selected
Register DNS
DNS Default Domain xinux.org
DNS Domain search list
DNS Servers 10.81.0.2
NTP Servers

Firewall Regeln

WAN
  • Firewall
    • Rules
      • WAN
        • +

Opnsense-openvpn-7.png

OpenVPN
  • Firewall
    • Rules
      • OpenVPN
        • +

Opnsense-openvpn-8.png

Die Client Konfiguration exportieren

  • VPN
    • OpenVPN
      • Client Export

Opnsense-openvpn-9.png


Abgerufen von „http://wiki.ixheim.de/index.php?title=OPNsense_OpenVPN&oldid=64385