OpenVPN install auth against OpenLDAP

[khapare]

Hello all,

I have been using pptpd for years. I use pptp as VPN server and delegate auth with freeradius.

I wanted to use openVPN auth against our openLdap. And for users, I want them to use their username and password to connect to VPN. can you guys point me to right userguide ?

[maikcat]

you have 2 ways,

1)configure your system PAM stack to use ldap or

2)use openvpns ldap module.

Michael.

[khapare]

Thanks,

I see there is a ldap module from openvpns - I will try using that.

another question is, will vpn client always have to have a certificate or generate certificate to each vpn client ?

K

[maikcat]

you can use user/pass auth only..

Michael.

[khapare]

Okay, thanks

for the testing enviornment. I have three IP address
server 192.168.1.1 (this is where it listen etc)

clients1 192.168.1.2
clients2 192.168.1.3
clients3 192.168.1.4

and i wanted to do dev tun - where shall i tell openvpn server user these three address for the client ?

[maikcat]

you cant have the same ip range in both lan & vpn interface,
you can assign static ips to your clients by using ccd files.

Michael.

[khapare]

humm why can't ? At present I have one whole subnet for the VPN server, where 1st IPs is for VPN server interface rest is for the VPN clients.

All I am trying to testing here and there to move from pptpd to openvpn.

[maikcat]

you cant have the same ip range in both lan & vpn interface,

Meaning that you CANT have lan ip 192.168.110 and vpn ip 192.168.1.1 when you use
openvpn in tun mode.

At present I have one whole subnet for the VPN server, where 1st IPs is for VPN server interface rest is for the VPN clients.

i think you didnt understood what i said...

Michael.

[khapare]

ah, Now I understood.

my server is up and running now !!!

where can I dowload openvpn client for mac, windows ? seem openvpn client from openvpn - licensed ?

K

[maikcat]

openvpn open source edition is the SAME binary acting as server/client depending on its config file.

AS version is NOT free...

Michael.

[khapare]

Hi Again,

I am having trouble openvpn with client authentication.

I have now physical hardware with two physical interface. eth0 and eth1
I have been given a small subnet by the network administrator which I wanted to use for Openvpn via eth1 here are my server.conf and client.conf

Code: Select all

local 130.208.143.88
proto udp
dev tun
ca ca.crt
cert jord.crt
key jord.key
dh dh2048.pem
server  130.208.72.64 255.255.255.240
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         /var/log/openvpn.log
verb 5
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
username-as-common-name

clients.conf

Code: Select all

client
proto udp
dev tun
remote 130.208.143.88
ca ca.crt
comp-lzo
auth-user-pass
verb 5

When I am trying to connect from client I get the following message on the server.

Code: Select all

Mon Sep 21 11:16:25 2015 us=979107 MULTI: multi_create_instance called
Mon Sep 21 11:16:25 2015 us=979211 130.208.144.79:1194 Re-using SSL/TLS context
Mon Sep 21 11:16:25 2015 us=979265 130.208.144.79:1194 LZO compression initialized
Mon Sep 21 11:16:25 2015 us=979450 130.208.144.79:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Mon Sep 21 11:16:25 2015 us=979472 130.208.144.79:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Mon Sep 21 11:16:25 2015 us=979648 130.208.144.79:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Sep 21 11:16:25 2015 us=979683 130.208.144.79:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Sep 21 11:16:25 2015 us=979716 130.208.144.79:1194 Local Options hash (VER=V4): '530fdded'
Mon Sep 21 11:16:25 2015 us=979741 130.208.144.79:1194 Expected Remote Options hash (VER=V4): '41690919'
RMon Sep 21 11:16:25 2015 us=979815 130.208.144.79:1194 TLS: Initial packet from [AF_INET]130.208.144.79:1194, sid=4dff416d d16921f6
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRMon Sep 21 11:16:28 2015 us=13015 130.208.144.79:1194 TLS: new session incoming connection from [AF_INET]130.208.144.79:1194
WWRWWWWWWWWWWWWWWWMon Sep 21 11:17:25 2015 us=218778 130.208.144.79:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 21 11:17:25 2015 us=218818 130.208.144.79:1194 TLS Error: TLS handshake failed
Mon Sep 21 11:17:25 2015 us=218961 130.208.144.79:1194 SIGUSR1[soft,tls-error] received, client-instance restarting

I used self signed certificate.
Any guidance would be great

[Traffic]

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

You need a script to drive that; See --auth-user-pass-verify in The Manual v23x

[khapare]

isn't this plugin should handle the openldap auth ?
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

ldap.conf has a information where to get the users from

What script need to be kick on ?