Vorab
- Wir sollten immer nur SSL/TLS nutzen
- Dazu müssen wir den DC per Namen auflösen können.
- Und wir brauchen sein Stammzertifikat
Die User kommen von der ADS
- User haben entwder das Attribut
- In der Domain muss ein Binduser und eine Gruppe angelegt sein
- Binduser
- ldapuser
Mit diesem verbindet sich die Opnsense zum DC
Mitglieder dieser Gruppe dürfen sich anmelden
Server anlegen
Gruppe: vpnuser
| Benutzer |
Domain |
Gruppe |
Passwort
|
| tick |
sec-labs.de |
vpnuser |
123Start$
|
| trick |
sec-labs.de |
vpnuser |
123Start$
|
| track |
sec-labs.de |
vpnuser |
123Start$
|
| Feld |
Wert
|
| Descriptive name |
openvpn-user
|
| Type |
LDAP
|
| Hostname or IP address |
win2022.sec-labs.de
|
| Port value |
636
|
| Transport |
SSL - Encrypted
|
| Protocol version |
3
|
| Bind credentials |
cn=ldapuser,ou=Service,dc=sec-labs,dc=de
|
| Password |
123Start$
|
| Search scope |
Entire Subtree
|
| Base DN |
dc=sec-labs,dc=de
|
| Authentication containers |
cn=users,dc=sec-labs,dc=de
|
| Extended Query |
memberOf=cn=vpnusers,cn=groups,dc=sec-labs,dc=de
|
| User naming attribute |
uid
|
| Read properties |
☑
|
| Synchronize groups |
☑
|
| Constraint groups |
☐
|
| Limit groups |
Nothing selected
|
| Automatic user creation |
☐
|
| Match case insensitive |
☐
|
CA erstellen
| Feld |
Wert
|
| Description |
opnsense-xin-ca
|
| Key type |
RSA-2048
|
| Digest Algorithm |
SHA256
|
| Issuer |
self-signed
|
| Lifetime (days) |
825
|
| Country Code |
Germany
|
| State or Province |
|
| City |
|
| Organization |
|
| Organizational Unit |
|
| Email Address |
|
| Common Name |
opnsense-xin-ca
|
| OCSP uri |
|
Cert für den Openvpn Server erstellen
| Feld |
Wert
|
| Method |
Create an internal Certificate
|
| Description |
openserver-cert
|
| Type |
Server Certificate
|
| Private key location |
Save on this firewall
|
| Key type |
RSA-2048
|
| Digest Algorithm |
SHA256
|
| Issuer |
opnsense-xin-ca
|
| Lifetime (days) |
1825
|
| Country Code |
Germany
|
| State or Province |
|
| City |
|
| Organization |
|
| Organizational Unit |
|
| Email Address |
|
| Common Name |
opnsense-zw.tuxmen.de
|
| OCSP uri |
|
Konfiguration
- Static Key generieren
Wir wählen Auth als Crypt
| Feld |
Wert
|
| Description |
unser-key
|
| Mode |
crypt (Encrypt and authenticate)
|
| Static Key |
# 2048 bit OpenVPN static key … (BEGIN/END OpenVPN Static key V1)
|
- Dern Server konfigurieren
| Feld |
Wert
|
| Enforce local group |
None
|
| Strict User/CN Matching |
☐
|
| Renegotiate time |
|
| Auth Token Lifetime |
|
| Local Network |
10.81.0.0/16
|
| Remote Network |
|
| Options |
Nothing selected
|
| Push Options |
Nothing selected
|
| Redirect gateway |
Nothing selected
|
| Register DNS |
☐
|
| DNS Default Domain |
xinux.org
|
| DNS Domain search list |
|
| DNS Servers |
10.81.0.2
|
| NTP Servers |
|
Firewall Regeln
- WAN
| Feld |
Wert
|
| Action |
Pass
|
| Disabled |
☐
|
| Quick |
☑ (Apply the action immediately on match)
|
| Interface |
WAN
|
| Direction |
in
|
| TCP/IP Version |
IPv4
|
| Protocol |
UDP
|
| Source Invert |
☐
|
| Source |
any
|
| Destination Invert |
☐
|
| Destination |
WAN address
|
| Destination port range |
OpenVPN → OpenVPN
|
| Log |
☐
|
| Category |
|
| Description |
|
| No XMLRPC Sync |
|
| Schedule |
none
|
| Gateway |
default
|
- OpenVPN
| Feld |
Wert
|
| Action |
Pass
|
| Disabled |
☐
|
| Quick |
☑ (Apply the action immediately on match)
|
| Interface |
OpenVPN
|
| Direction |
in
|
| TCP/IP Version |
IPv4
|
| Protocol |
any
|
| Source Invert |
☐
|
| Source |
OpenVPN net
|
| Destination Invert |
☐
|
| Destination |
any
|
| Destination port range |
any → any
|
Die Client Konfiguration exportieren
| Feld |
Wert
|
| Remote Access Server |
Unser Server udp/1194
|
| Export type |
File Only
|
| Hostname |
opensense.it2xx.xinmen.de
|
| Port |
1194
|
| Use random local port |
☑
|
| Validate server subject |
☑
|
| Windows Certificate System Store |
☐
|
| Disable password save |
☐
|
| Custom config |
|
| Certificate |
opnsense-cert (ausgewählt)
|