LAB Linux in heterogenen Netzen OPENVPN mit LDAP User-Authentication

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Installation auf der Firewall

  • sudo apt install openvpn openvpn-auth-ldap

Auf dem Domain Controller

  • Gruppe vpnuser erstellen
  • Benutzer die VPN nutzen sollen hinzufügen
  • Benutzer vpnservice erstellen

Server

Create DH Key

  • cd /etc/openvpn
  • openssl dhparam -out dh2048.pem 2048
  • Wir brauchen eine ca.crt, ein openvpn.crt und einen openvpn.key
  • Kann man beispielsweise so erledigen.
  • openssl genrsa -aes256 -out ca.key 4096
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
  • openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
Enter pass phrase for ca.key:
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:lab34-ca
Email Address []:.

Server Config

  • vi /etc/openvpn/homeoffice.conf
dev tun
mode server
tls-server
port 1194
topology subnet
server 172.31.2.0 255.255.255.0
push "route 172.26.52.0 255.255.252.0"
push "dhcp-option DOMAIN lab34.linuggs.de"
push "dhcp-option DNS  172.26.54.2"
cipher AES-256-CBC
link-mtu 1542
status /tmp/cool-vpn.status
keepalive 10 30
client-to-client
max-clients 150
verb 3
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/openvpn-ca.crt
cert /etc/openvpn/openvpn-linux.crt
key /etc/openvpn/openvpn-linux.key
client-cert-not-required
compress
persist-key
persist-tun
client-config-dir client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login
script-security 3

auth-ldap.conf

<LDAP>
        URL             ldaps://mero.vulkan.int
        BindDN          "CN=openvpn,CN=Users,DC=vulkan,DC=int"
        Password        "W!rkl1cHs3HrG3he!m"
        Timeout         15
        TLSEnable       no
        # Follow LDAP Referrals (anonymously)
        FollowReferrals no
        # TLS CA Certificate File
        TLSCACertFile   /etc/openvpn/openvpn-ca.crt
</LDAP>

<Authorization>
        BaseDN          "dc=vulkan,dc=int"
        SearchFilter   "(&(sAMAccountName=%u)(memberOf=CN=homeoffice,CN=Users,DC=vulkan,DC=int))"
        RequireGroup    false
</Authorization>

Client

Client Config

port 5000
dev tun0
remote neo.harirbo.net
tls-client
cipher AES-256-CBC
link-mtu 1542
mssfix 1450
pull
compress
verb 3
auth-user-pass
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
place your cacert here
-----END CERTIFICATE-----
</ca>
Abgerufen von „http://wiki.ixheim.de/index.php?title=LAB_Linux_in_heterogenen_Netzen_OPENVPN_mit_LDAP_User-Authentication&oldid=57116