Page 1 of 1
OpenVPN authentication with Active Directory
Posted: Sun Jan 03, 2010 4:33 am
by adamincanada
This Perl script can be used for authentication with Active Directory and for connection tracking.
Add the following lines to your server configuration file:
auth-user-pass-verify /path-to/openvpn-super.pl via-env
client-connect /path-to/openvpn-super.pl
client-disconnect /path-to/openvpn-super.pl
/etc/openvpn-super.conf
Code: Select all
# The Windows domain to use for Kerberos authentication
domain = example.ca
# The domain controllers to use, in order of preference
dc = dc1.example.ca
dc = dc2.example.ca
# The Active Directory group that the user must be in
group = cn=VPN Users,ou=SomeOU,dc=example,dc=ca
# The mail server to use for sending notifications
mailserver = mail.example.ca
# The recipients for notification messages
mailto = john.smith\@example.ca
mailto = mike\@example.ca
# The log file to use
logfile = /var/log/openvpn.log
see below
Re: OpenVPN authentication with Active Directory
Posted: Mon Jan 04, 2010 2:26 pm
by ecrist
Here is the perl script.
Re: OpenVPN authentication with Active Directory
Posted: Mon Feb 07, 2011 6:14 pm
by rooneymu
What I should config on client.opvn?
Re: OpenVPN authentication with Active Directory
Posted: Tue Feb 08, 2011 1:36 am
by adamincanada
I use the following lines:
# Authentication setup
client-cert-not-required
username-as-common-name
auth-user-pass-verify /bin/scripts/openvpn-super.pl via-env
# Notification and logging setup
client-connect /bin/scripts/openvpn-super.pl
client-disconnect /bin/scripts/openvpn-super.pl
Hope it works!
Re: OpenVPN authentication with Active Directory
Posted: Tue Aug 02, 2011 7:08 pm
by tombodet
Anyone try this on 64bit?
I'm getting the following when I run directly from the command line as a test:
Can't locate Authen/Krb5/Simple.pm in @INC (@INC contains: /usr/lib/perl5/5.8.8/Filter/ /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at auth_ad_super.pl line 581.
BEGIN failed--compilation aborted at auth_ad_super.pl line 581.
Funny thing is, Simple.pm is in fact in the first @INC directory:
find / -name Simple.pm
/usr/lib/perl5/5.8.8/Filter/Simple.pm
/usr/lib/perl5/5.8.8/Test/Simple.pm
This is Centos 5.6 with perl installed from yum:
perl.x86_64 4:5.8.8-32.el5_5.2 installed
perl-Authen-Krb5.x86_64 1.9-1.el5 installed
perl-String-CRC32.x86_64 1.4-2.fc6 installed
Am I missing another package or do I need to set something else since it's 64 bit?
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 03, 2011 10:58 am
by janjust
try
Code: Select all
yum install perl-Authen-Krb5-Simple
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 03, 2011 12:45 pm
by tombodet
janjust wrote:try
Code: Select all
yum install perl-Authen-Krb5-Simple
Doesn't exist. Besides the base repo I have EPEL installed as well.
edit:
Hold the phone, found an rpm for it. That got me past the line then it wanted perl-LDAP. That got me what I believe is a running script:
./auth_ad_super.pl
2011-08-03 08:55:12 Invalid script_type: "" (expected client-connect, client-disconnect, or auth-user-pass-verify)
If it's giving me that output I believe it's compiling, I now need to fix the config?
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 03, 2011 12:53 pm
by janjust
hmmm I use CentOS 5 as well; on my box it's in the rpmforge repo:
Code: Select all
[rpmforge]
name = RHEL $releasever - RPMforge.net - dag
baseurl = http://apt.sw.be/redhat/el5/en/$basearch/rpmforge
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 03, 2011 1:00 pm
by tombodet
Sorry jan I didn't refresh and updated my previous post.
I didn't realize rpmforge had a repo, that's actually where I got the rpm directly from.
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 03, 2011 1:13 pm
by janjust
yes, now fix the config and add the lines to the server config as posted earlier:
Code: Select all
# Authentication setup
client-cert-not-required
username-as-common-name
auth-user-pass-verify /bin/scripts/openvpn-super.pl via-env
# Notification and logging setup
client-connect /bin/scripts/openvpn-super.pl
client-disconnect /bin/scripts/openvpn-super.pl
if your script is named 'auth_ad_super.pl' then adjust accordingly.
Re: OpenVPN authentication with Active Directory
Posted: Mon Aug 29, 2011 7:34 pm
by izghitu
Hi,
I tried to set this up but whenever I try to auth using a user/pass from the AD I get this in the openvpn logs:
Code: Select all
WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
TLS Auth Error: Auth Username/Password verification failed for peer
I get this when running it from command line:
Code: Select all
[root@vpn openvpn]# ./openvpn-super.pl -c /etc/openvpn-super.conf -d
Configuration file parameters:
dc HASH(0x87a6d60)
-> 0 HOST
domain domain.com
group cn=Remote Desktop Users,ou=Domain Controllers,dc=domain,dc=com
logfile /var/log/openvpn.log
mailserver localhost
recipients HASH(0x8bc0db0)
-> email@gmail.com
2011-08-29 17:46:43 Invalid script_type: "" (expected client-connect, client-disconnect, or auth-user-pass-verify)
Am I doing something wrong?
Please help
Re: OpenVPN authentication with Active Directory
Posted: Mon Aug 29, 2011 7:48 pm
by izghitu
I've set the log file to /var/log/openvpn.log in both the config and in the script and set the debug to 1 but I get no output in /var/log/openvpn.log when authenticating via openvpn
Please help
Re: OpenVPN authentication with Active Directory
Posted: Tue Aug 30, 2011 10:14 am
by janjust
Code: Select all
WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
TLS Auth Error: Auth Username/Password verification failed for peer
this suggests that the script cannot be executed. Try adding
restart the server and try again.
Re: OpenVPN authentication with Active Directory
Posted: Tue Aug 30, 2011 7:39 pm
by izghitu
This is what I get:
Code: Select all
WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
[] Peer Connection Initiated with IP:49270
PUSH: Received control message: 'PUSH_REQUEST'
Delayed exit in 5 seconds
SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
IP:49270 SIGTERM[soft,delayed-exit] received, client-instance exiting
And I finally got an email. The email says:
Code: Select all
Details: Cannot find KDC for requested realm (0x9a)
What's KDC? Please advise
Re: OpenVPN authentication with Active Directory
Posted: Tue Aug 30, 2011 8:56 pm
by janjust
KDC = Kerberos Domain Controller
In AD speak this is pretty much the same as the Active Directory server; it seems the AD authentication fails due to a realm mismatch ; sorry but I can't help you there, as I'm clueless as to how AD works.
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 31, 2011 4:53 am
by izghitu
Thanks for your help so far. One last question if you don't mind.
So the KDC is the IP or hostname of the AD server right? Then what's realm?
Re: OpenVPN authentication with Active Directory
Posted: Wed Aug 31, 2011 7:46 am
by janjust
this is getting off-topic for the openvpn forum... troubleshoot your connection to the AD server first, e.g. by reading up on
http://www.linuxmail.info/troubleshooti ... -centos-5/
it looks like you either use the wrong IP address of the AD server or you misspelled the Active Directory Realm, which is case-sensitive.