OPNsense OpenVPN: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(38 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=Vorab=
 +
*Wir sollten immer nur SSL/TLS nutzen
 +
*Dazu müssen wir den DC per Namen auflösen können.
 +
*Und wir brauchen sein Stammzertifikat
 +
 +
=Die User kommen von der ADS=
 +
*User haben entwder das Attribut
 +
**'''SamAccountName''' oder '''uid'''
 +
;In der Domain muss ein Binduser und eine Gruppe angelegt sein:
 +
;Binduser: ldapuser
 +
Mit diesem verbindet sich die Opnsense zum DC
 +
*Gruppe: vpnuser
 +
Mitglieder dieser Gruppe dürfen die VPN nutzen.
 +
==Gruppe: vpnuser==
 +
{| class="wikitable"
 +
! Benutzer !! Domain !! Gruppe !! Passwort
 +
|-
 +
| tick  || sec-labs.de || vpnuser  || abcd1234$
 +
|-
 +
| trick  || sec-labs.de || vpnuser  || animoto-8
 +
|-
 +
| track  || sec-labs.de || vpnuser  || Aa123456.
 +
|}
 +
 +
==Server anlegen==
 +
*System
 +
**Access
 +
***Servers
 +
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Descriptive name || openvpn-user
 +
|-
 +
| Type || LDAP
 +
|-
 +
| Hostname or IP address || win2022.sec-labs.de
 +
|-
 +
| Port value || 636
 +
|-
 +
| Transport || SSL - Encrypted
 +
|-
 +
| Protocol version || 3
 +
|-
 +
| Bind credentials || cn=ldapuser,ou=Service,dc=sec-labs,dc=de
 +
|-
 +
| Password || 123Start$
 +
|-
 +
| Search scope || Entire Subtree
 +
|-
 +
| Base DN || dc=sec-labs,dc=de
 +
|-
 +
| Authentication containers || cn=users,dc=sec-labs,dc=de
 +
|-
 +
| Extended Query || memberOf=cn=vpnusers,cn=groups,dc=sec-labs,dc=de
 +
|-
 +
| User naming attribute || uid
 +
|-
 +
| Read properties || ☑
 +
|-
 +
| Synchronize groups || ☑
 +
|-
 +
| Constraint groups || ☐
 +
|-
 +
| Limit groups || Nothing selected
 +
|-
 +
| Automatic user creation || ☐
 +
|-
 +
| Match case insensitive || ☐
 +
|}
 +
 +
=CA erstellen=
 +
*System
 +
**Trust
 +
***Authorities
 +
****+
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Description || opnsense-xin-ca
 +
|-
 +
| Key type || RSA-2048
 +
|-
 +
| Digest Algorithm || SHA256
 +
|-
 +
| Issuer || self-signed
 +
|-
 +
| Lifetime (days) || 825
 +
|-
 +
| Country Code || Germany
 +
|-
 +
| State or Province ||
 +
|-
 +
| City ||
 +
|-
 +
| Organization ||
 +
|-
 +
| Organizational Unit ||
 +
|-
 +
| Email Address ||
 +
|-
 +
| Common Name || opnsense-xin-ca
 +
|-
 +
| OCSP uri ||
 +
|}
 +
 +
=Cert für den Openvpn Server erstellen=
 +
*System
 +
**Trust
 +
***Certificates
 +
****+
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Method || Create an internal Certificate
 +
|-
 +
| Description || openserver-cert
 +
|-
 +
| Type || Server Certificate
 +
|-
 +
| Private key location || Save on this firewall
 +
|-
 +
| Key type || RSA-2048
 +
|-
 +
| Digest Algorithm || SHA256
 +
|-
 +
| Issuer || opnsense-xin-ca
 +
|-
 +
| Lifetime (days) || 1825
 +
|-
 +
| Country Code || Germany
 +
|-
 +
| State or Province ||
 +
|-
 +
| City ||
 +
|-
 +
| Organization ||
 +
|-
 +
| Organizational Unit ||
 +
|-
 +
| Email Address ||
 +
|-
 +
| Common Name || opnsense-zw.tuxmen.de
 +
|-
 +
| OCSP uri ||
 +
|}
 +
 
=Konfiguration=
 
=Konfiguration=
 +
;Static Key generieren
 +
*VPN
 +
**OpenVPN
 +
***Instances
 +
****Static Keys
 +
*****+
 +
Wir wählen Auth als Crypt
 +
*Auf das Zahnrad klicken
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Description || unser-key
 +
|-
 +
| Mode || crypt (Encrypt and authenticate)
 +
|-
 +
| Static Key || # 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)
 +
|}
 +
;Dern Server konfigurieren
 
*VPN
 
*VPN
 
**OpenVPN
 
**OpenVPN
 
***Instances
 
***Instances
 +
****Instances
 +
*****+
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Enforce local group || None
 +
|-
 +
| Strict User/CN Matching || ☐
 +
|-
 +
| Renegotiate time ||
 +
|-
 +
| Auth Token Lifetime ||
 +
|-
 +
| Local Network || 10.81.0.0/16
 +
|-
 +
| Remote Network ||
 +
|-
 +
| Options || Nothing selected
 +
|-
 +
| Push Options || Nothing selected
 +
|-
 +
| Redirect gateway || Nothing selected
 +
|-
 +
| Register DNS || ☐
 +
|-
 +
| DNS Default Domain || xinux.org
 +
|-
 +
| DNS Domain search list ||
 +
|-
 +
| DNS Servers || 10.81.0.2
 +
|-
 +
| NTP Servers ||
 +
|}
 +
 +
=Firewall Regeln=
 +
;WAN
 +
*Firewall
 +
**Rules
 +
***WAN
 +
****+
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Action || Pass
 +
|-
 +
| Disabled || ☐
 +
|-
 +
| Quick || ☑ (Apply the action immediately on match)
 +
|-
 +
| Interface || WAN
 +
|-
 +
| Direction || in
 +
|-
 +
| TCP/IP Version || IPv4
 +
|-
 +
| Protocol || UDP
 +
|-
 +
| Source Invert || ☐
 +
|-
 +
| Source || any
 +
|-
 +
| Destination Invert || ☐
 +
|-
 +
| Destination || WAN address
 +
|-
 +
| Destination port range || OpenVPN → OpenVPN
 +
|-
 +
| Log || ☐
 +
|-
 +
| Category ||
 +
|-
 +
| Description ||
 +
|-
 +
| No XMLRPC Sync ||
 +
|-
 +
| Schedule || none
 +
|-
 +
| Gateway || default
 +
|}
 +
 +
;OpenVPN
 +
*Firewall
 +
**Rules
 +
***OpenVPN
 
****+
 
****+
[[Datei:Opnsense-openvpn-1.png]]
+
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Action || Pass
 +
|-
 +
| Disabled || ☐
 +
|-
 +
| Quick || ☑ (Apply the action immediately on match)
 +
|-
 +
| Interface || OpenVPN
 +
|-
 +
| Direction || in
 +
|-
 +
| TCP/IP Version || IPv4
 +
|-
 +
| Protocol || any
 +
|-
 +
| Source Invert || ☐
 +
|-
 +
| Source || OpenVPN net
 +
|-
 +
| Destination Invert || ☐
 +
|-
 +
| Destination || any
 +
|-
 +
| Destination port range || any → any
 +
|}
 +
 
 +
=Die Client Konfiguration exportieren=
 +
*VPN
 +
**OpenVPN
 +
***Client Export
 +
{| class="wikitable"
 +
! Feld !! Wert
 +
|-
 +
| Remote Access Server || Unser Server udp/1194
 +
|-
 +
| Export type || File Only
 +
|-
 +
| Hostname || opensense.it2xx.xinmen.de
 +
|-
 +
| Port || 1194
 +
|-
 +
| Use random local port || ☑
 +
|-
 +
| Validate server subject || ☑
 +
|-
 +
| Windows Certificate System Store || ☐
 +
|-
 +
| Disable password save || ☐
 +
|-
 +
| Custom config ||
 +
|-
 +
| Certificate || opnsense-cert (ausgewählt)
 +
|}
 +
 
 +
 
  
  
 
*https://docs.opnsense.org/manual/how-tos/user-ldap.html
 
*https://docs.opnsense.org/manual/how-tos/user-ldap.html

Aktuelle Version vom 14. Februar 2026, 09:42 Uhr

Vorab

  • Wir sollten immer nur SSL/TLS nutzen
  • Dazu müssen wir den DC per Namen auflösen können.
  • Und wir brauchen sein Stammzertifikat

Die User kommen von der ADS

  • User haben entwder das Attribut
    • SamAccountName oder uid
In der Domain muss ein Binduser und eine Gruppe angelegt sein
Binduser
ldapuser

Mit diesem verbindet sich die Opnsense zum DC

  • Gruppe: vpnuser

Mitglieder dieser Gruppe dürfen die VPN nutzen.

Gruppe: vpnuser

Benutzer Domain Gruppe Passwort
tick sec-labs.de vpnuser abcd1234$
trick sec-labs.de vpnuser animoto-8
track sec-labs.de vpnuser Aa123456.

Server anlegen

  • System
    • Access
      • Servers
Feld Wert
Descriptive name openvpn-user
Type LDAP
Hostname or IP address win2022.sec-labs.de
Port value 636
Transport SSL - Encrypted
Protocol version 3
Bind credentials cn=ldapuser,ou=Service,dc=sec-labs,dc=de
Password 123Start$
Search scope Entire Subtree
Base DN dc=sec-labs,dc=de
Authentication containers cn=users,dc=sec-labs,dc=de
Extended Query memberOf=cn=vpnusers,cn=groups,dc=sec-labs,dc=de
User naming attribute uid
Read properties
Synchronize groups
Constraint groups
Limit groups Nothing selected
Automatic user creation
Match case insensitive

CA erstellen

  • System
    • Trust
      • Authorities
        • +
Feld Wert
Description opnsense-xin-ca
Key type RSA-2048
Digest Algorithm SHA256
Issuer self-signed
Lifetime (days) 825
Country Code Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name opnsense-xin-ca
OCSP uri

Cert für den Openvpn Server erstellen

  • System
    • Trust
      • Certificates
        • +
Feld Wert
Method Create an internal Certificate
Description openserver-cert
Type Server Certificate
Private key location Save on this firewall
Key type RSA-2048
Digest Algorithm SHA256
Issuer opnsense-xin-ca
Lifetime (days) 1825
Country Code Germany
State or Province
City
Organization
Organizational Unit
Email Address
Common Name opnsense-zw.tuxmen.de
OCSP uri

Konfiguration

Static Key generieren
  • VPN
    • OpenVPN
      • Instances
        • Static Keys
          • +

Wir wählen Auth als Crypt

  • Auf das Zahnrad klicken
Feld Wert
Description unser-key
Mode crypt (Encrypt and authenticate)
Static Key # 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)
Dern Server konfigurieren
  • VPN
    • OpenVPN
      • Instances
        • Instances
          • +
Feld Wert
Enforce local group None
Strict User/CN Matching
Renegotiate time
Auth Token Lifetime
Local Network 10.81.0.0/16
Remote Network
Options Nothing selected
Push Options Nothing selected
Redirect gateway Nothing selected
Register DNS
DNS Default Domain xinux.org
DNS Domain search list
DNS Servers 10.81.0.2
NTP Servers

Firewall Regeln

WAN
  • Firewall
    • Rules
      • WAN
        • +
Feld Wert
Action Pass
Disabled
Quick ☑ (Apply the action immediately on match)
Interface WAN
Direction in
TCP/IP Version IPv4
Protocol UDP
Source Invert
Source any
Destination Invert
Destination WAN address
Destination port range OpenVPN → OpenVPN
Log
Category
Description
No XMLRPC Sync
Schedule none
Gateway default
OpenVPN
  • Firewall
    • Rules
      • OpenVPN
        • +
Feld Wert
Action Pass
Disabled
Quick ☑ (Apply the action immediately on match)
Interface OpenVPN
Direction in
TCP/IP Version IPv4
Protocol any
Source Invert
Source OpenVPN net
Destination Invert
Destination any
Destination port range any → any

Die Client Konfiguration exportieren

  • VPN
    • OpenVPN
      • Client Export
Feld Wert
Remote Access Server Unser Server udp/1194
Export type File Only
Hostname opensense.it2xx.xinmen.de
Port 1194
Use random local port
Validate server subject
Windows Certificate System Store
Disable password save
Custom config
Certificate opnsense-cert (ausgewählt)



Abgerufen von „http://wiki.ixheim.de/index.php?title=OPNsense_OpenVPN&oldid=66878