Page 1 of 1

Configure openvpn for several access type and authenticaion methods in load balancing

Posted: Thu Nov 07, 2019 4:00 pm
by soprano
I installed and configured an openvpn server for my guests for now with pam authentication.

I have several questions about how and if is possible configure openvpn for my needs.

1a) I would like to know if is it possible to have mixed authentication, pam + ldap + radius + certificates or some of them in the same configuration ?

1b) In case it is not possible, is possible to use LDAP authentication and have several kinds of access ?

I mean, i have several VPN clients

- guests, that would have access to some networks only

- admins, that would have access to all networks (but maybe not internet through the VPN)

- internet users, that would have access to some networks and internet through the VPN too

I will use 3 different networks for each kind of access suppose 172.16.1.0 - 172.16.2.0 and 172.16.3.0 (just for example).

I know i will need iptables rules to divide accesses based on the network where an user will be translated, this is not a problem, i know how to setup a firewall.

I searched and found this document https://openvpn.net/community-resources/how-to/#scope

but while i understand the server network configuration, i don't understand where the common-name has to be used if in the client configuration or in some other way

2) the ccd file will ifconfig-push a network ip for each kind of access in your example (admin or contractors), but is not possible to use an entire network or subnet like for the server statement for example

ifconfig-push 172.16.1.1 172.16.1.254

for each of the network i need ?

3) If i have to use only LDAP authentication how can i divide several kinds of access based on the same user ?

I mean sometime a user called "soprano" needs only to have access like guests, sometimes like admins and sometimes like internet users, is it possible with only a server configuration to do this ?

and how the server choose which access to give at that user ? I suspect using the common-name, and here i go back to the question where i have to put the common-name ?

4) If i use LDAP can i use some information stored on the LDAP for the common-name ?

5) if i use more openvpn servers (2 or 3) i will have to use different networks for each kind of access ?

I mean for troubleshooting purpose is preferable to have

openvpn1
172.16.1.0 guests
172.16.2.0 admins
172.16.3.0 internet users

openvpn2
172.16.21.0 guests
172.16.22.0 admins
172.16.23.0 internet users

openvpn3
172.16.31.0 guests
172.16.32.0 admins
172.16.33.0 internet users

so when i will have some problems i will know directly on which server to search for information or logs

6) i would like to know if is better to have 1-2 servers with more CPU or more servers with single CPU ? Is openvpn to use more CPU simultaneously ?

Thanks for now
soprano

Re: Configure openvpn for several access type and authenticaion methods in load balancing

Posted: Fri Nov 08, 2019 6:36 pm
by soprano
I configured ldap authentication and it works very well,

now i would like to know if is possible to autenticate LDAP searching for the Common Name in the certificate

I see in the ldap.conf file

part of ldap config

<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"

# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"

# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

#<Group>
# BaseDN "ou=Groups,dc=example,dc=com"
# SearchFilter "(|(cn=developers)(cn=artists))"
# MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
#</Group>
</Authorization>


i see a %u variable for the username, exist a %cn variable for the common name ? so i can match it with a field in the LDAP ?

if this is not possible which variables are passed to the LDAP module that i can use ?

And which variables are passed instead in a user-pass-auth-verify script ?

Is there a list of these variables in some guide/how-to ?

latest question is, is possible to have different ca for the server and the client certificates ?

I ask this because for the server i have already a real Certificate released from a real Certification Authority, but now i need to create several client certificates with different Common Name (one for each type of access i need).

If possible Do i need to add the client CA in the server configuration but how ? Do I need to chain it to the ca.crt file ? or how ?

thanks for any answer
soprano

Re: Configure openvpn for several access type and authenticaion methods in load balancing

Posted: Fri Nov 08, 2019 7:26 pm
by Pippin
for the server i have already a real Certificate released from a real Certification Authority
That's not considered good practice.....
latest question is, is possible to have different ca for the server and the client certificates ?
Yes that is possible.
The client needs the CA that signed the server certificate.
The server needs the CA that signed the client(s) certificate(s).

Re: Configure openvpn for several access type and authenticaion methods in load balancing

Posted: Sat Nov 09, 2019 1:52 pm
by soprano
Thanks pippin for the answer.

Do you know if is it possible in ldap.conf have a %cn or %something that gives the client certificate Common Name, to use with a Ldapsearch to confirm the kind of access ?

Thanks in advance for your help.
soprano