Installation auf der Firewall
- sudo apt install openvpn openvpn-auth-ldap
Zum Testen
- sudo apt install ldap-utils
Auf dem Domain Controller
- Gruppe vpnuser erstellen
- Benutzer die VPN nutzen sollen hinzufügen
- Benutzer vpnservice erstellen
Server
Create DH Key
- cd /etc/openvpn
- openssl dhparam -out dh2048.pem 2048
Zertifikate
- Wir brauchen eine ca.crt, ein firewall.lab34.linuggs.crt und einen firewall.lab34.linuggs.de.key
- Kann man beispielsweise so erledigen.
Zertifikate für openvpn
Server Config
- vi /etc/openvpn/homeoffice.conf
dev tun
mode server
tls-server
port 1194
topology subnet
server 172.31.2.0 255.255.255.0
push "route 172.26.52.0 255.255.252.0"
push "dhcp-option DOMAIN lab34.linuggs.de"
push "dhcp-option DNS 172.26.54.2"
cipher AES-256-CBC
link-mtu 1542
status /tmp/cool-vpn.status
keepalive 10 30
client-to-client
max-clients 150
verb 3
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/firewall.lab34.linuggs.de.crt
key /etc/openvpn/firewall.lab34.linuggs.de.key
verify-client-cert none
compress
persist-key
persist-tun
client-config-dir client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login
script-security 3
Wir brauchen die CA-cert der ADS
- Irgendwie besorgen
- cp /home/kit/lab34-ca.cer /etc/openvpn/lab34-ca.crt
- cp /home/kit/lab34-ca.cer /etc/ldap/lab34-ca.crt
Kleine Anpassungen
- Wir müssen den Domaincontroller auflösen können
nameserver 172.26.54.2
nameserver 2a02:24d8:71:3036::2
search lab34.linuggs.de
- Zum Testen der Ldap Verbindung
BASE dc=lab34,dc=linuggs,dc=de
URI ldaps://win2022.lab34.linuggs.de
LDAPDEBUG 1
TLS_CACERT /etc/ldap/lab34-ca.crt
In welchen Gruppe ist Rudi?
- ldapsearch -LLL -x -D cn=vpnservice,cn=Users,dc=lab34,dc=linuggs,dc=de -w 12345-Xinux -b dc=lab34,dc=linuggs,dc=de "(cn=rudi)" memberOf
dn: CN=rudi,CN=Users,DC=lab34,DC=linuggs,DC=de
memberOf: CN=vpnuser,CN=Users,DC=lab34,DC=linuggs,DC=de
memberOf: CN=mailuser,CN=Users,DC=lab34,DC=linuggs,DC=de
memberOf: CN=gg_wiki,CN=Users,DC=lab34,DC=linuggs,DC=de
auth-ldap.conf
<LDAP>
URL ldaps://win2022.lab34.linuggs.de
BindDN "cn=vpnservice,cn=Users,dc=lab34,dc=linuggs,dc=de"
Password "12345-Xinux"
Timeout 15
TLSEnable no
FollowReferrals no
TLSCACertFile /etc/openvpn/lab34-ca.crt
</LDAP>
<Authorization>
BaseDN "dc=lab34,dc=linuggs,dc=de"
SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=vpnuser,CN=Users,DC=lab34,DC=linuggs,DC=de))"
RequireGroup false
</Authorization>
Client
Client Config
- vi /etc/openvpn/client.ovpn
port 1194
dev tun0
remote 172.30.34.14
tls-client
cipher AES-256-CBC
link-mtu 1542
mssfix 1450
pull
compress
verb 3
auth-user-pass
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
MIIFBzCCAu+gAwIBAgIUSn+kWZSfFgfj/ZXnzsNaW2JjE3wwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIbGFiMzQtY2EwHhcNMjQxMDA2MTQxNzUwWhcNMzQxMDA0
MTQxNzUwWjATMREwDwYDVQQDDAhsYWIzNC1jYTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAKxUhyXOBugFSdKTyjDm46j2UktuLaRjOWHKeIVu7/FSdnXV
yXFduYIY+1xipVyYNeTDTjBWhs4XyklL7Q+IBF0/vuWnr7UfZk2cDwEVLr1FqTri
TsoYjS3mtQji+B7DOp8BmeJwTTGZg4WKR4mas9WXafr76TQp9WOUvmLqDG95MTrt
uaoZkqMvVHYOe/Jvw97WEMSX4oUsyyPinoQaLYVFQcnwV9P2+jNw+FeUK66j0cyw
oZeh7AjORe8/HsI8PkrughbOcgJypiWOR3D5G7IwvWAj2JUvX1nPuz7enRgRRTNJ
uDoKMfrxy7E0U5T1YY0qxLBEnbrQpAsDeBLoHa70BsbLsydS/s4OcR+1Wxu3LBw6
/NNJ9bVz5dXDQu0hWlGV3YOIN5oEFrcHW8YTPZ64Msg9MnpSDWYaj5iPeNlomgBb
Un5Qy7qlE6weDGaOb7kL2jla/WhMMCzm4GptKPXJN0pUfuCsQloQeWrHMHsPOwS+
cV7E+YSkVncdINCmqgotmK1fgxVeQQYGAi+FeF6tpOggiq5pdIPYXsD7ON2LD9DC
C0/rx95EZ3du2PJZ9fz8Zyy3m3S7bxP+iuvN+4tuoG/IpeiABs34od0TaYfTn0uv
mM+pM9U+vLdT/6LENBWKNboeD14/xXE08UX5EmdrU2k8uzSjqum2zx0EDLElAgMB
AAGjUzBRMB0GA1UdDgQWBBQ0QK/RzgBszMrBb9qCNGeJnj5EpTAfBgNVHSMEGDAW
gBQ0QK/RzgBszMrBb9qCNGeJnj5EpTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQBsxsniHuDKq+lbuqo5WsJSxOnpXJd5TartYZatsX9+V9zMb0MK
KMiWOlN0yb2ZFyDAlb8hxZLLsM1QOeqkkPlhSM5r+lVsrgdQJkSE9iFsZSx9yBGo
yb8isVh6sjkoMRFi6vRqoMGJ+WS41m24nclEx1CpC2EBDxuYamF96cS2Q9EbNh2U
0BZ2XnB4jhsjtFVfMFSxgCyJXmPiHbAzsP0NIn74VPec4WD7sqHwRcqw9D6RRbmz
HNgCddhbYi1+uX+caAgXs8AtuutAsC0iEjjKJDkYV/R8HeyKfPvW+UQlkEykL9gZ
1HPoXRHvWLUWBrku5WHEI4QP7iW5LRmZaRAGjHo1tEenQAsUO6MFbk5FPdysjuUP
QTzPtQ3yOOBtndrF8Nq8EQKYtZ6vJ36GKoCP2Dz1CEESWpoGGRYIIsqqCLKDt1Xi
4iNGmPSY31NaiDhgDKsB219sYYjW34jeqnwwyd6O4vTxB39nPObCrQTh6j8ncFjk
B5gh+xL9vzYxfsIW2Vo7Gw60ZbILqmPt8XpOgPvvDkrdR7+Lz2N12NcD8WnBwS06
dB5InysjmRmR4MoV7+whD2MlNENQDv58Ls4cPIsepSIX8Q6TxgWIM98qbswLt6zy
bGzxWt004OjQcrCaieCTEiIZJs3ySleOEb993+VRJPrcmmMD+0MlXLKaDg==
-----END CERTIFICATE-----
</ca>
Erster Test
- firewall
- openvpn --config /etc/openvpn/homeoffice.conf
2024-10-06 17:00:15 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
2024-10-06 17:00:15 Consider using the '--compress migrate' option.
...
...
2024-10-06 17:01:37 IFCONFIG POOL IPv4: base=172.31.2.2 size=253
2024-10-06 17:01:37 Initialization Sequence Complete
- client
- sudo openvpn --config client.ovpn
2024-10-06 17:14:04 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
2024-10-06 17:14:04 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-10-06 17:14:04 library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-10-06 17:14:04 DCO version: N/A
Enter Auth Username: rudi
Enter Auth Password: ***********
2024-10-06 17:14:10 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-10-06 17:14:10 TCP/UDP: Preserving recently used remote address: [AF_INET]172.30.34.14:1194
...
...
...
2024-10-06 17:14:10 Initialization Sequence Completed
Weiter
- Grafischer Client unter Windows oder Linux installieren und Testen