Vorab

• Wir sollten immer nur SSL/TLS nutzen
• Dazu müssen wir den DC per Namen auflösen können.
• Und wir brauchen sein Stammzertifikat

Die User kommen von der ADS

• User haben entwder das Attribut
  • SamAccountName oder uid

In der Domain muss ein Binduser und eine Gruppe angelegt sein

Binduser

ldapuser

Mit diesem verbindet sich die Opnsense zum DC

• Gruppe: vpnuser

Mitglieder dieser Gruppe dürfen die VPN nutzen.

Gruppe: vpnuser

Benutzer	Domain	Gruppe	Passwort
tick	sec-labs.de	vpnuser	abcd1234$
trick	sec-labs.de	vpnuser	animoto-8
track	sec-labs.de	vpnuser	Aa123456.

Server anlegen

• System
  • Access
    • Servers

Feld	Wert
Descriptive name	openvpn-user
Type	LDAP
Hostname or IP address	win2022.sec-labs.de
Port value	636
Transport	SSL - Encrypted
Protocol version	3
Bind credentials	cn=ldapuser,ou=Service,dc=sec-labs,dc=de
Password	123Start$
Search scope	Entire Subtree
Base DN	dc=sec-labs,dc=de
Authentication containers	cn=users,dc=sec-labs,dc=de
Extended Query	memberOf=cn=vpnusers,cn=groups,dc=sec-labs,dc=de
User naming attribute	uid
Read properties	☑
Synchronize groups	☑
Constraint groups	☐
Limit groups	Nothing selected
Automatic user creation	☐
Match case insensitive	☐

CA erstellen

• System
  • Trust
    • Authorities
      • +

Feld	Wert
Description	opnsense-xin-ca
Key type	RSA-2048
Digest Algorithm	SHA256
Issuer	self-signed
Lifetime (days)	825
Country Code	Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name	opnsense-xin-ca
OCSP uri

Cert für den Openvpn Server erstellen

• System
  • Trust
    • Certificates
      • +

Feld	Wert
Method	Create an internal Certificate
Description	openserver-cert
Type	Server Certificate
Private key location	Save on this firewall
Key type	RSA-2048
Digest Algorithm	SHA256
Issuer	opnsense-xin-ca
Lifetime (days)	1825
Country Code	Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name	opnsense-zw.tuxmen.de
OCSP uri

Konfiguration

Static Key generieren

• VPN
  • OpenVPN
    • Instances
      • Static Keys
        • +

Wir wählen Auth als Crypt

• Auf das Zahnrad klicken

Feld	Wert
Description	unser-key
Mode	crypt (Encrypt and authenticate)
Static Key	# 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)

Dern Server konfigurieren

• VPN
  • OpenVPN
    • Instances
      • Instances
        • +

Feld	Wert
Enforce local group	None
Strict User/CN Matching	☐
Renegotiate time
Auth Token Lifetime
Local Network	10.81.0.0/16
Remote Network
Options	Nothing selected
Push Options	Nothing selected
Redirect gateway	Nothing selected
Register DNS	☐
DNS Default Domain	xinux.org
DNS Domain search list
DNS Servers	10.81.0.2
NTP Servers

Firewall Regeln

WAN

• Firewall
  • Rules
    • WAN
      • +

Feld	Wert
Action	Pass
Disabled	☐
Quick	☑ (Apply the action immediately on match)
Interface	WAN
Direction	in
TCP/IP Version	IPv4
Protocol	UDP
Source Invert	☐
Source	any
Destination Invert	☐
Destination	WAN address
Destination port range	OpenVPN → OpenVPN
Log	☐
Category
Description
No XMLRPC Sync
Schedule	none
Gateway	default

OpenVPN

• Firewall
  • Rules
    • OpenVPN
      • +

Feld	Wert
Action	Pass
Disabled	☐
Quick	☑ (Apply the action immediately on match)
Interface	OpenVPN
Direction	in
TCP/IP Version	IPv4
Protocol	any
Source Invert	☐
Source	OpenVPN net
Destination Invert	☐
Destination	any
Destination port range	any → any

Die Client Konfiguration exportieren

• VPN
  • OpenVPN
    • Client Export

Feld	Wert
Remote Access Server	Unser Server udp/1194
Export type	File Only
Hostname	opensense.it2xx.xinmen.de
Port	1194
Use random local port	☑
Validate server subject	☑
Windows Certificate System Store	☐
Disable password save	☐
Custom config
Certificate	opnsense-cert (ausgewählt)

• https://docs.opnsense.org/manual/how-tos/user-ldap.html