OpenVPN authentication with Active Directory

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
adamincanada
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 03, 2010 4:28 am

OpenVPN authentication with Active Directory

Post by adamincanada » Sun Jan 03, 2010 4:33 am

This Perl script can be used for authentication with Active Directory and for connection tracking.

Add the following lines to your server configuration file:
auth-user-pass-verify /path-to/openvpn-super.pl via-env
client-connect /path-to/openvpn-super.pl
client-disconnect /path-to/openvpn-super.pl

/etc/openvpn-super.conf

Code: Select all

    # The Windows domain to use for Kerberos authentication
    domain = example.ca
    
    # The domain controllers to use, in order of preference
    dc = dc1.example.ca
    dc = dc2.example.ca

    # The Active Directory group that the user must be in
    group = cn=VPN Users,ou=SomeOU,dc=example,dc=ca
    
    # The mail server to use for sending notifications
    mailserver = mail.example.ca
    
    # The recipients for notification messages
    mailto = john.smith\@example.ca
    mailto = mike\@example.ca
    
    # The log file to use
    logfile = /var/log/openvpn.log
openvpn-super.pl see below
Last edited by adamincanada on Sun Jan 03, 2010 5:45 pm, edited 1 time in total.

User avatar
ecrist
Forum Team
Posts: 237
Joined: Wed Nov 26, 2008 10:33 pm
Location: Northern Minnesota, USA
Contact:

Re: OpenVPN authentication with Active Directory

Post by ecrist » Mon Jan 04, 2010 2:26 pm

Here is the perl script.
You do not have the required permissions to view the files attached to this post.
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

rooneymu
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 11, 2011 3:54 am

Re: OpenVPN authentication with Active Directory

Post by rooneymu » Mon Feb 07, 2011 6:14 pm

What I should config on client.opvn?

adamincanada
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 03, 2010 4:28 am

Re: OpenVPN authentication with Active Directory

Post by adamincanada » Tue Feb 08, 2011 1:36 am

I use the following lines:

# Authentication setup
client-cert-not-required
username-as-common-name
auth-user-pass-verify /bin/scripts/openvpn-super.pl via-env

# Notification and logging setup
client-connect /bin/scripts/openvpn-super.pl
client-disconnect /bin/scripts/openvpn-super.pl


Hope it works!

tombodet
OpenVPN User
Posts: 22
Joined: Wed Jun 29, 2011 5:32 pm

Re: OpenVPN authentication with Active Directory

Post by tombodet » Tue Aug 02, 2011 7:08 pm

Anyone try this on 64bit?

I'm getting the following when I run directly from the command line as a test:

Can't locate Authen/Krb5/Simple.pm in @INC (@INC contains: /usr/lib/perl5/5.8.8/Filter/ /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at auth_ad_super.pl line 581.
BEGIN failed--compilation aborted at auth_ad_super.pl line 581.

Funny thing is, Simple.pm is in fact in the first @INC directory:
find / -name Simple.pm
/usr/lib/perl5/5.8.8/Filter/Simple.pm
/usr/lib/perl5/5.8.8/Test/Simple.pm

This is Centos 5.6 with perl installed from yum:
perl.x86_64 4:5.8.8-32.el5_5.2 installed
perl-Authen-Krb5.x86_64 1.9-1.el5 installed
perl-String-CRC32.x86_64 1.4-2.fc6 installed

Am I missing another package or do I need to set something else since it's 64 bit?

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OpenVPN authentication with Active Directory

Post by janjust » Wed Aug 03, 2011 10:58 am

try

Code: Select all

yum install perl-Authen-Krb5-Simple

tombodet
OpenVPN User
Posts: 22
Joined: Wed Jun 29, 2011 5:32 pm

Re: OpenVPN authentication with Active Directory

Post by tombodet » Wed Aug 03, 2011 12:45 pm

janjust wrote:try

Code: Select all

yum install perl-Authen-Krb5-Simple
Doesn't exist. Besides the base repo I have EPEL installed as well.


edit:

Hold the phone, found an rpm for it. That got me past the line then it wanted perl-LDAP. That got me what I believe is a running script:

./auth_ad_super.pl
2011-08-03 08:55:12 Invalid script_type: "" (expected client-connect, client-disconnect, or auth-user-pass-verify)

If it's giving me that output I believe it's compiling, I now need to fix the config?
Last edited by tombodet on Wed Aug 03, 2011 12:58 pm, edited 1 time in total.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OpenVPN authentication with Active Directory

Post by janjust » Wed Aug 03, 2011 12:53 pm

hmmm I use CentOS 5 as well; on my box it's in the rpmforge repo:

Code: Select all

[rpmforge]
name = RHEL $releasever - RPMforge.net - dag
baseurl = http://apt.sw.be/redhat/el5/en/$basearch/rpmforge
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1

tombodet
OpenVPN User
Posts: 22
Joined: Wed Jun 29, 2011 5:32 pm

Re: OpenVPN authentication with Active Directory

Post by tombodet » Wed Aug 03, 2011 1:00 pm

Sorry jan I didn't refresh and updated my previous post.

I didn't realize rpmforge had a repo, that's actually where I got the rpm directly from.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OpenVPN authentication with Active Directory

Post by janjust » Wed Aug 03, 2011 1:13 pm

yes, now fix the config and add the lines to the server config as posted earlier:

Code: Select all

# Authentication setup
client-cert-not-required
username-as-common-name
auth-user-pass-verify /bin/scripts/openvpn-super.pl via-env

# Notification and logging setup
client-connect /bin/scripts/openvpn-super.pl
client-disconnect /bin/scripts/openvpn-super.pl
if your script is named 'auth_ad_super.pl' then adjust accordingly.

izghitu
OpenVpn Newbie
Posts: 5
Joined: Mon Aug 29, 2011 6:51 pm

Re: OpenVPN authentication with Active Directory

Post by izghitu » Mon Aug 29, 2011 7:34 pm

Hi,

I tried to set this up but whenever I try to auth using a user/pass from the AD I get this in the openvpn logs:

Code: Select all

WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
TLS Auth Error: Auth Username/Password verification failed for peer
I get this when running it from command line:

Code: Select all

[root@vpn openvpn]# ./openvpn-super.pl -c /etc/openvpn-super.conf -d
Configuration file parameters:
dc      HASH(0x87a6d60)
        ->      0       HOST
domain  domain.com
group   cn=Remote Desktop Users,ou=Domain Controllers,dc=domain,dc=com
logfile /var/log/openvpn.log
mailserver      localhost
recipients      HASH(0x8bc0db0)
        ->      email@gmail.com


2011-08-29 17:46:43     Invalid script_type: "" (expected client-connect, client-disconnect, or auth-user-pass-verify)
Am I doing something wrong?

Please help

izghitu
OpenVpn Newbie
Posts: 5
Joined: Mon Aug 29, 2011 6:51 pm

Re: OpenVPN authentication with Active Directory

Post by izghitu » Mon Aug 29, 2011 7:48 pm

I've set the log file to /var/log/openvpn.log in both the config and in the script and set the debug to 1 but I get no output in /var/log/openvpn.log when authenticating via openvpn

Please help

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OpenVPN authentication with Active Directory

Post by janjust » Tue Aug 30, 2011 10:14 am

Code: Select all

WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
TLS Auth Error: Auth Username/Password verification failed for peer
this suggests that the script cannot be executed. Try adding

Code: Select all

script-security 3 system
verb 5
restart the server and try again.

izghitu
OpenVpn Newbie
Posts: 5
Joined: Mon Aug 29, 2011 6:51 pm

Re: OpenVPN authentication with Active Directory

Post by izghitu » Tue Aug 30, 2011 7:39 pm

This is what I get:

Code: Select all

WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
[] Peer Connection Initiated with IP:49270
PUSH: Received control message: 'PUSH_REQUEST'
Delayed exit in 5 seconds
SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
IP:49270 SIGTERM[soft,delayed-exit] received, client-instance exiting
And I finally got an email. The email says:

Code: Select all

Details:            Cannot find KDC for requested realm (0x9a)
What's KDC? Please advise

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OpenVPN authentication with Active Directory

Post by janjust » Tue Aug 30, 2011 8:56 pm

KDC = Kerberos Domain Controller

In AD speak this is pretty much the same as the Active Directory server; it seems the AD authentication fails due to a realm mismatch ; sorry but I can't help you there, as I'm clueless as to how AD works.

izghitu
OpenVpn Newbie
Posts: 5
Joined: Mon Aug 29, 2011 6:51 pm

Re: OpenVPN authentication with Active Directory

Post by izghitu » Wed Aug 31, 2011 4:53 am

Thanks for your help so far. One last question if you don't mind.

So the KDC is the IP or hostname of the AD server right? Then what's realm?

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: OpenVPN authentication with Active Directory

Post by janjust » Wed Aug 31, 2011 7:46 am

this is getting off-topic for the openvpn forum... troubleshoot your connection to the AD server first, e.g. by reading up on http://www.linuxmail.info/troubleshooti ... -centos-5/

it looks like you either use the wrong IP address of the AD server or you misspelled the Active Directory Realm, which is case-sensitive.

Post Reply