OPNsense OpenVPN: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(13 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 6: Zeile 6:
 
=Die User kommen von der ADS=
 
=Die User kommen von der ADS=
 
*User haben entwder das Attribut
 
*User haben entwder das Attribut
**SamAccountName
+
**'''SamAccountName''' oder '''uid'''
oder
 
**uid
 
 
;In der Domain muss ein Binduser und eine Gruppe angelegt sein:
 
;In der Domain muss ein Binduser und eine Gruppe angelegt sein:
 +
;Binduser: ldapuser
 +
Mit diesem verbindet sich die Opnsense zum DC
 
*Gruppe: vpnuser
 
*Gruppe: vpnuser
*Binduser: ldapuser
+
Mitglieder dieser Gruppe dürfen die VPN nutzen.
 +
==Gruppe: vpnuser==
 +
{| class="wikitable"
 +
! Benutzer !! Domain !! Gruppe !! Passwort
 +
|-
 +
| tick  || sec-labs.de || vpnuser  || abcd1234$
 +
|-
 +
| trick  || sec-labs.de || vpnuser  || animoto-8
 +
|-
 +
| track  || sec-labs.de || vpnuser  || Aa123456.
 +
|}
 +
 
 
==Server anlegen==
 
==Server anlegen==
 
*System
 
*System
Zeile 24: Zeile 35:
 
| Type || LDAP
 
| Type || LDAP
 
|-
 
|-
| Hostname or IP address || win2022.lab.int
+
| Hostname or IP address || win2022.sec-labs.de
 
|-
 
|-
 
| Port value || 636
 
| Port value || 636
Zeile 32: Zeile 43:
 
| Protocol version || 3
 
| Protocol version || 3
 
|-
 
|-
| Bind credentials || cn=ldapuser,ou=Service,dc=lab,dc=int
+
| Bind credentials || cn=ldapuser,ou=Service,dc=sec-labs,dc=de
 
|-
 
|-
 
| Password || 123Start$
 
| Password || 123Start$
Zeile 38: Zeile 49:
 
| Search scope || Entire Subtree
 
| Search scope || Entire Subtree
 
|-
 
|-
| Base DN || dc=lab,dc=int
+
| Base DN || dc=sec-labs,dc=de
 
|-
 
|-
| Authentication containers || cn=users,dc=lab,dc=int
+
| Authentication containers || cn=users,dc=sec-labs,dc=de
 
|-
 
|-
| Extended Query || memberOf=cn=vpnusers,cn=groups,dc=lab,dc=int
+
| Extended Query || memberOf=cn=vpnusers,cn=groups,dc=sec-labs,dc=de
 
|-
 
|-
 
| User naming attribute || uid
 
| User naming attribute || uid
Zeile 144: Zeile 155:
 
Wir wählen Auth als Crypt
 
Wir wählen Auth als Crypt
 
*Auf das Zahnrad klicken
 
*Auf das Zahnrad klicken
[[Datei:Opnsense-openvpn-3.png]]
+
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Description || unser-key
 +
|-
 +
| Mode || crypt (Encrypt and authenticate)
 +
|-
 +
| Static Key || # 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)
 +
|}
 
;Dern Server konfigurieren
 
;Dern Server konfigurieren
 
*VPN
 
*VPN
Zeile 151: Zeile 170:
 
****Instances
 
****Instances
 
*****+
 
*****+
[[Datei:Opnsense-openvpn-13.png]]
+
{| class="wikitable"
 
+
! Feld !! Wert
[[Datei:Opnsense-openvpn-14.png]]
+
|-
 +
| Enforce local group || None
 +
|-
 +
| Strict User/CN Matching || ☐
 +
|-
 +
| Renegotiate time ||
 +
|-
 +
| Auth Token Lifetime ||
 +
|-
 +
| Local Network || 10.81.0.0/16
 +
|-
 +
| Remote Network ||
 +
|-
 +
| Options || Nothing selected
 +
|-
 +
| Push Options || Nothing selected
 +
|-
 +
| Redirect gateway || Nothing selected
 +
|-
 +
| Register DNS || ☐
 +
|-
 +
| DNS Default Domain || xinux.org
 +
|-
 +
| DNS Domain search list ||
 +
|-
 +
| DNS Servers || 10.81.0.2
 +
|-
 +
| NTP Servers ||
 +
|}
  
 
=Firewall Regeln=
 
=Firewall Regeln=
Zeile 161: Zeile 208:
 
***WAN
 
***WAN
 
****+
 
****+
[[Datei:Opnsense-openvpn-7.png|800px]]
+
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Action || Pass
 +
|-
 +
| Disabled || ☐
 +
|-
 +
| Quick || ☑ (Apply the action immediately on match)
 +
|-
 +
| Interface || WAN
 +
|-
 +
| Direction || in
 +
|-
 +
| TCP/IP Version || IPv4
 +
|-
 +
| Protocol || UDP
 +
|-
 +
| Source Invert || ☐
 +
|-
 +
| Source || any
 +
|-
 +
| Destination Invert || ☐
 +
|-
 +
| Destination || WAN address
 +
|-
 +
| Destination port range || OpenVPN → OpenVPN
 +
|-
 +
| Log || ☐
 +
|-
 +
| Category ||
 +
|-
 +
| Description ||
 +
|-
 +
| No XMLRPC Sync ||
 +
|-
 +
| Schedule || none
 +
|-
 +
| Gateway || default
 +
|}
 +
 
 
;OpenVPN
 
;OpenVPN
 
*Firewall
 
*Firewall
Zeile 167: Zeile 253:
 
***OpenVPN
 
***OpenVPN
 
****+
 
****+
[[Datei:Opnsense-openvpn-8.png|800px]]
+
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Action || Pass
 +
|-
 +
| Disabled || ☐
 +
|-
 +
| Quick || ☑ (Apply the action immediately on match)
 +
|-
 +
| Interface || OpenVPN
 +
|-
 +
| Direction || in
 +
|-
 +
| TCP/IP Version || IPv4
 +
|-
 +
| Protocol || any
 +
|-
 +
| Source Invert || ☐
 +
|-
 +
| Source || OpenVPN net
 +
|-
 +
| Destination Invert || ☐
 +
|-
 +
| Destination || any
 +
|-
 +
| Destination port range || any → any
 +
|}
 +
 
 
=Die Client Konfiguration exportieren=
 
=Die Client Konfiguration exportieren=
 
*VPN
 
*VPN
 
**OpenVPN
 
**OpenVPN
 
***Client Export
 
***Client Export
[[Datei:Opnsense-openvpn-9.png|800px]]
+
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Remote Access Server || Unser Server udp/1194
 +
|-
 +
| Export type || File Only
 +
|-
 +
| Hostname || opensense.it2xx.xinmen.de
 +
|-
 +
| Port || 1194
 +
|-
 +
| Use random local port || ☑
 +
|-
 +
| Validate server subject || ☑
 +
|-
 +
| Windows Certificate System Store || ☐
 +
|-
 +
| Disable password save || ☐
 +
|-
 +
| Custom config ||
 +
|-
 +
| Certificate || opnsense-cert (ausgewählt)
 +
|}
 +
 
  
  
  
 
*https://docs.opnsense.org/manual/how-tos/user-ldap.html
 
*https://docs.opnsense.org/manual/how-tos/user-ldap.html

Aktuelle Version vom 14. Februar 2026, 09:42 Uhr

Vorab

  • Wir sollten immer nur SSL/TLS nutzen
  • Dazu müssen wir den DC per Namen auflösen können.
  • Und wir brauchen sein Stammzertifikat

Die User kommen von der ADS

  • User haben entwder das Attribut
    • SamAccountName oder uid
In der Domain muss ein Binduser und eine Gruppe angelegt sein
Binduser
ldapuser

Mit diesem verbindet sich die Opnsense zum DC

  • Gruppe: vpnuser

Mitglieder dieser Gruppe dürfen die VPN nutzen.

Gruppe: vpnuser

Benutzer Domain Gruppe Passwort
tick sec-labs.de vpnuser abcd1234$
trick sec-labs.de vpnuser animoto-8
track sec-labs.de vpnuser Aa123456.

Server anlegen

  • System
    • Access
      • Servers
Feld Wert
Descriptive name openvpn-user
Type LDAP
Hostname or IP address win2022.sec-labs.de
Port value 636
Transport SSL - Encrypted
Protocol version 3
Bind credentials cn=ldapuser,ou=Service,dc=sec-labs,dc=de
Password 123Start$
Search scope Entire Subtree
Base DN dc=sec-labs,dc=de
Authentication containers cn=users,dc=sec-labs,dc=de
Extended Query memberOf=cn=vpnusers,cn=groups,dc=sec-labs,dc=de
User naming attribute uid
Read properties
Synchronize groups
Constraint groups
Limit groups Nothing selected
Automatic user creation
Match case insensitive

CA erstellen

  • System
    • Trust
      • Authorities
        • +
Feld Wert
Description opnsense-xin-ca
Key type RSA-2048
Digest Algorithm SHA256
Issuer self-signed
Lifetime (days) 825
Country Code Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name opnsense-xin-ca
OCSP uri

Cert für den Openvpn Server erstellen

  • System
    • Trust
      • Certificates
        • +
Feld Wert
Method Create an internal Certificate
Description openserver-cert
Type Server Certificate
Private key location Save on this firewall
Key type RSA-2048
Digest Algorithm SHA256
Issuer opnsense-xin-ca
Lifetime (days) 1825
Country Code Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name opnsense-zw.tuxmen.de
OCSP uri

Konfiguration

Static Key generieren
  • VPN
    • OpenVPN
      • Instances
        • Static Keys
          • +

Wir wählen Auth als Crypt

  • Auf das Zahnrad klicken
Feld Wert
Description unser-key
Mode crypt (Encrypt and authenticate)
Static Key # 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)
Dern Server konfigurieren
  • VPN
    • OpenVPN
      • Instances
        • Instances
          • +
Feld Wert
Enforce local group None
Strict User/CN Matching
Renegotiate time
Auth Token Lifetime
Local Network 10.81.0.0/16
Remote Network
Options Nothing selected
Push Options Nothing selected
Redirect gateway Nothing selected
Register DNS
DNS Default Domain xinux.org
DNS Domain search list
DNS Servers 10.81.0.2
NTP Servers

Firewall Regeln

WAN
  • Firewall
    • Rules
      • WAN
        • +
Feld Wert
Action Pass
Disabled
Quick ☑ (Apply the action immediately on match)
Interface WAN
Direction in
TCP/IP Version IPv4
Protocol UDP
Source Invert
Source any
Destination Invert
Destination WAN address
Destination port range OpenVPN → OpenVPN
Log
Category
Description
No XMLRPC Sync
Schedule none
Gateway default
OpenVPN
  • Firewall
    • Rules
      • OpenVPN
        • +
Feld Wert
Action Pass
Disabled
Quick ☑ (Apply the action immediately on match)
Interface OpenVPN
Direction in
TCP/IP Version IPv4
Protocol any
Source Invert
Source OpenVPN net
Destination Invert
Destination any
Destination port range any → any

Die Client Konfiguration exportieren

  • VPN
    • OpenVPN
      • Client Export
Feld Wert
Remote Access Server Unser Server udp/1194
Export type File Only
Hostname opensense.it2xx.xinmen.de
Port 1194
Use random local port
Validate server subject
Windows Certificate System Store
Disable password save
Custom config
Certificate opnsense-cert (ausgewählt)



Abgerufen von „http://wiki.ixheim.de/index.php?title=OPNsense_OpenVPN&oldid=66878