Let me share this quick and dirty howto with you. This setup authenticates users from the AD, using a group, called "OpenVPN Users".
What you need to have:
- Active Directory or other LDAP solution (OpenLDAP)
- openvpn-auth-ldap package (so)
- AD Group
Code: Select all
[ec2-user@naboo ~]$ yum search openvpn | grep ldap
openvpn-auth-ldap.x86_64 : OpenVPN plugin for LDAP authentication
openvpn-auth-ldap-debuginfo.x86_64 : Debug information for package
Code: Select all
gorkhaan@kamino:~$ apt-cache search openvpn | grep ldap
openvpn-auth-ldap - OpenVPN LDAP authentication module
- yum install openvpn openvpn-auth-ldap.x86_64
- apt-get install openvpn openvpn-auth-ldap
Files
- Copy "vpnserver-ldap-auth.conf" to "/etc/openvpn/vpnserver-ldap-auth.conf"
Code: Select all
mode server tls-server port 443 #local x.x.x.x proto tcp dev tun topology subnet ca ca.crt cert vpnserver.crt key vpnserver.key dh dh2048.pem script-security 2 username-as-common-name ### PAM AUTH ### #auth-user-pass-verify "auth-pam.pl" via-file ################ ### LDAP AUTH ### plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "ldap-auth.config" ################# #tmp-dir "/tmp" #up "/etc/openvpn/skyvpnserver/tuzfal_all" server 192.168.222.0 255.255.255.0 push "route 10.0.0.0 255.255.0.0" # push "dhcp-option DNS 192.168.222.1" #push "redirect-gateway def1" #push "dhcp-option DNS 8.8.8.8" #push "dhcp-option DOMAIN darkhole.hu" #push "shaper 1310720" #shaper 1310720 #port-share x.x.x.x 3128 inactive 600 tcp-nodelay #fast-io keepalive 10 120 comp-lzo persist-key persist-tun status onlineusers.log 5 status-version 1 ifconfig-pool-persist fixip.txt 0 #management 127.0.0.1 1195 telnet.passwd verb 3 mute 10 reneg-sec 1800
- Copy "ldap-auth.config" to "/etc/openvpn/ldap-auth.config"
Code: Select all
<LDAP> # LDAP server URL URL ldap://subdomain.domain.ltd:389 # Bind DN (If your LDAP server doesn't support anonymous binds) #BindDN uid=admin,ou=Users,dc=test,dc=com BindDN "CN=MyReadOnlyUser,OU=Service Accounts,DC=subdomain,DC=domain,DC=ltd" # Bind Password Password "MyReadOnlyUserPassword" # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN #BaseDN "CN=Users,DC=test,DC=com" BaseDN "DC=subdomain,DC=domain,DC=ltd" # User Search Filter #SearchFilter "(&(uid=%u)(accountStatus=active))" #SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))" SearchFilter "(&(sAMAccountName=%u))" # Require Group Membership RequireGroup true # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users <Group> BaseDN "DC=subdomain,DC=domain,DC=ltd" SearchFilter "(cn=OpenVPN Users)" MemberAttribute "member" # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization>
- Use these files as a template. Go through on every line and modify it to your needs.
- Set up iptables masquerading, etc.