OpenVPN + AD + Group + cert


#1

Hi,

Maybe this solution, isn’t problematic for most people, but when i configure vyos openvpn + Active Directory witch group authorization and certificate per person i have litlle problem to put together all part.

List to do:

  1. Generate cert for serwer site - vyos
  2. Instalation plugin for openvpn - openvpn-auth-ldap plugin
  3. Configuration ldap-auth
  4. Configuration openvpn on vyos
  5. Client configuration
  6. Config static route

1. Generate cert for serwer site - vyos

1.1 - Copy openvpn script to /etc/openvpn

vyatta@vyatta01# sudo su -
root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/

1.2 - Edit “vars” parametr

root@vyatta01:/etc/openvpn#nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="US"
export KEY_CITY="US"
export KEY_ORG="vyosCA"
export KEY_EMAIL="admin@us.us"

1.3 - run vars command and “clean-all”

root@vyatta01:/etc/openvpn#source ./vars root@vyatta01:/etc/openvpn#./clean-all

1.4 - Create CA, Pub + priv key for VyOS

root@vyatta01:/etc/openvpn#./build-ca root@vyatta01:/etc/openvpn# ./build-key-server vyosserver root@vyatta01:/etc/openvpn#./build-dh

1.5 Copy keys to config folder

root@vyatta-test-1:~# mkdir /config/auth/keys root@vyatta-test-1:~# cp -R /etc/openvpn/keys/* /config/auth/keys/

1.6 - Create client keys

1.7- Create revoaction list (crl.pem format)

First, we must create “revokekey”:

Generate revoaction list:

In /eth/openvpn/keys show crl.pem file, we must copy this list to /config/auth/keys

2. Plugin installation

2.1 Change repo (20.05.2016 - actual is 1.2.x - “jessie”) + installation plugin

[code]$ configure

$ set system package repository squeeze components ‘main contrib non-free’
$set system package repository squeeze distribution ‘jessie’
$set system package repository squeeze url ‘http://httpredir.debian.org/debian

sudo apt-get update
sudo apt-get install openvpn-auth-ldap[/code]

3. Plugin configuration

[code]# LDAP server URL

URL ldap://192.168.1.126:389

    #BindDN         uid=admin,ou=Users,dc=test,dc=com

    BindDN          "CN=User_Read,OU=ADMIN,DC=US,DC=local"

    # Bind Password

    Password        "pass_user_read"

    # Network timeout (in seconds) - 

    Timeout         15

    # Enable Start TLS - 

    TLSEnable       no

    # Follow LDAP Referrals (anonymously)

    FollowReferrals yes

    # TLS CA Certificate File

TLSCACertFile /config/auth/keys/ca.crt

    # TLS CA Certificate Directory

TLSCACertDir /config/auth/keys/

    # Client Certificate and key

    # If TLS client authentication is required

TLSCertFile /config/auth/keys/

TLSKeyFile /config/auth/keys/

    # Cipher Suite

    # The defaults are usually fine here

    # TLSCipherSuite        ALL:!ADH:@STRENGTH
# Base DN - Descripte AD Group to using openvpn
     BaseDN         "OU=ADMIN,DC=US,DC=local"

BaseDN “DC=US,DC=local”

#UserAttributw “DN”

    # User Search Filter

    #SearchFilter   "(&(uid=%u)(accountStatus=active))"

    #SearchFilter   "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"

    SearchFilter    "(&(sAMAccountName=%u))"

    # Require Group Membership

RequireGroup true

    # Add non-group members to a PF table (disabled)

    #PFTable        ips_vpn_users
BaseDN "OU=ADMIN,DC=US,DC=local"
            SearchFilter    "(cn=ADMIN)"

            MemberAttribute "member"

            # Add group members to a PF table (disabled)

            #PFTable        ips_vpn_eng
[/code]

4. Config openvpn in vyos:

[code]###global parm
set interfaces openvpn vtun0
edit interfaces openvpn vtun0
set local-port 1194
set protocol udp
set mode server

Route option to LAN network

set server push-route 192.168.0.0/24
set server subnet 192.168.99.0/24
####Cert config
set tls ca-cert-file /config/auth/keys/ca.crt
set tls cert-file /config/auth/keys/vyoskey.crt
set tls crl-file /config/auth/keys/crl.pem
set tls dh-file /config/auth/keys/dh1024.pem
set key-file /config/auth/keys/vyoskey.key
#####Plugin config
set openvpn-option “–plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config”
set openvpn-option “–script-security 2”

commit
save
##########[/code]

5. Example client configuration:

client dev tun auth-user-pass tls-client auth-nocache persist-tun persist-key proto udp remote x.x.x.x resolv-retry infinite nobind persist-key persist-tun ca "C:\\Program Files (x86)\\OpenVPN\\keys\\ca.crt" cert "C:\\Program Files (x86)\\OpenVPN\\keys\\user.crt" key "C:\\Program Files (x86)\\OpenVPN\\keys\\user.key" ns-cert-type server verb 3

6. Config static route in routers:

In router witch openvpn configuration we must config routing to virtual network for openvpn:

And in other router we must config static protocol route:

UPDATE:

  • Add config to revoaction list,
  • Add static route.
  • Change repository to 1.2.x “jessie”

#2

Hi, question with regard to installing openvpn-auth-ldap plugin.
I’m following your procedure precisely and getting issue with openvpn-auth-ldap plugin:
-------------- my configs -----------
admin@TEMP-2# show system package repository
repository community {
components main
distribution helium
password “”
url http://packages.vyos.net/vyos
username “”
}
repository squeeze {
components “main contrib non-free”
distribution squeeze
url http://mirrors.kernel.org/debian
}

firstly I get multiple errors about outdated indexes while exiecuting apt-get update (after adding squizee)
--------------- output after running update ---------------
root@TEMP-2:/home/admin# sudo apt-get update
Ign http://mirrors.kernel.org squeeze Release.gpg
Ign http://mirrors.kernel.org/debian/ squeeze/contrib Translation-en
Ign http://mirrors.kernel.org/debian/ squeeze/main Translation-en
Ign http://mirrors.kernel.org/debian/ squeeze/non-free Translation-en
Ign http://mirrors.kernel.org squeeze Release
Ign http://packages.vyos.net helium Release.gpg
Ign http://packages.vyos.net/vyos/ helium/main Translation-en
Err http://mirrors.kernel.org squeeze/main amd64 Packages
404 Not Found [IP: 149.20.37.36 80]
Ign http://packages.vyos.net helium Release
Err http://mirrors.kernel.org squeeze/contrib amd64 Packages
404 Not Found [IP: 149.20.37.36 80]
Err http://mirrors.kernel.org squeeze/non-free amd64 Packages
404 Not Found [IP: 149.20.37.36 80]
Err http://packages.vyos.net helium/main amd64 Packages
404 Not Found
W: Failed to fetch http://mirrors.kernel.org/debian/dists/squeeze/main/binary-amd64/Packages.gz 404 Not Found [IP: 149.20.37.36 80]

W: Failed to fetch http://mirrors.kernel.org/debian/dists/squeeze/contrib/binary-amd64/Packages.gz 404 Not Found [IP: 149.20.37.36 80]

W: Failed to fetch http://mirrors.kernel.org/debian/dists/squeeze/non-free/binary-amd64/Packages.gz 404 Not Found [IP: 149.20.37.36 80]

W: Failed to fetch http://packages.vyos.net/vyos/dists/helium/main/binary-amd64/Packages.gz 404 Not Found

E: Some index files failed to download, they have been ignored, or old ones used instead.

------------------end of output --------------------------------------------

secondly while executing apt-get install openvpn-auth-ldap I get error "can’t locate package.

----------- output after an attempt to install -----------------
root@TEMP-2:/home/admin# sudo apt-get install openvpn-auth-ldap
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package openvpn-auth-ldap
------------------- end of output.

any suggestions? thanks.