Hi,
Maybe this solution, isn’t problematic for most people, but when i configure vyos openvpn + Active Directory witch group authorization and certificate per person i have litlle problem to put together all part.
List to do:
- Generate cert for serwer site - vyos
- Instalation plugin for openvpn - openvpn-auth-ldap plugin
- Configuration ldap-auth
- Configuration openvpn on vyos
- Client configuration
- Config static route
1. Generate cert for serwer site - vyos
1.1 - Copy openvpn script to /etc/openvpn
vyatta@vyatta01# sudo su -
root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
1.2 - Edit “vars” parametr
root@vyatta01:/etc/openvpn#nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="US"
export KEY_CITY="US"
export KEY_ORG="vyosCA"
export KEY_EMAIL="[email protected]"
1.3 - run vars command and “clean-all”
root@vyatta01:/etc/openvpn#source ./vars
root@vyatta01:/etc/openvpn#./clean-all
1.4 - Create CA, Pub + priv key for VyOS
root@vyatta01:/etc/openvpn#./build-ca
root@vyatta01:/etc/openvpn# ./build-key-server vyosserver
root@vyatta01:/etc/openvpn#./build-dh
1.5 Copy keys to config folder
root@vyatta-test-1:~# mkdir /config/auth/keys
root@vyatta-test-1:~# cp -R /etc/openvpn/keys/* /config/auth/keys/
1.6 - Create client keys
root@vyatta01:/etc/openvpn# ./build-key client
1.7- Create revoaction list (crl.pem format)
First, we must create “revokekey”:
Generate revoaction list:
In /eth/openvpn/keys show crl.pem file, we must copy this list to /config/auth/keys
2. Plugin installation
2.1 Change repo (20.05.2016 - actual is 1.2.x - “jessie”) + installation plugin
[code]$ configure
$ set system package repository squeeze components ‘main contrib non-free’
$set system package repository squeeze distribution ‘jessie’
$set system package repository squeeze url ‘http://httpredir.debian.org/debian’
sudo apt-get update
sudo apt-get install openvpn-auth-ldap[/code]
3. Plugin configuration
[code]# LDAP server URL
URL ldap://192.168.1.126:389
#BindDN uid=admin,ou=Users,dc=test,dc=com
BindDN "CN=User_Read,OU=ADMIN,DC=US,DC=local"
# Bind Password
Password "pass_user_read"
# Network timeout (in seconds) -
Timeout 15
# Enable Start TLS -
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /config/auth/keys/ca.crt
# TLS CA Certificate Directory
TLSCACertDir /config/auth/keys/
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /config/auth/keys/
TLSKeyFile /config/auth/keys/
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
# Base DN - Descripte AD Group to using openvpn
BaseDN "OU=ADMIN,DC=US,DC=local"
BaseDN “DC=US,DC=local”
#UserAttributw “DN”
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
#SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"
SearchFilter "(&(sAMAccountName=%u))"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
BaseDN "OU=ADMIN,DC=US,DC=local"
SearchFilter "(cn=ADMIN)"
MemberAttribute "member"
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
[/code]
4. Config openvpn in vyos:
[code]###global parm
set interfaces openvpn vtun0
edit interfaces openvpn vtun0
set local-port 1194
set protocol udp
set mode server
Route option to LAN network
set server push-route 192.168.0.0/24
set server subnet 192.168.99.0/24
####Cert config
set tls ca-cert-file /config/auth/keys/ca.crt
set tls cert-file /config/auth/keys/vyoskey.crt
set tls crl-file /config/auth/keys/crl.pem
set tls dh-file /config/auth/keys/dh1024.pem
set key-file /config/auth/keys/vyoskey.key
#####Plugin config
set openvpn-option “–plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config”
set openvpn-option “–script-security 2”
commit
save
##########[/code]
5. Example client configuration:
client
dev tun
auth-user-pass
tls-client
auth-nocache
persist-tun
persist-key
proto udp
remote x.x.x.x
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files (x86)\\OpenVPN\\keys\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\keys\\user.crt"
key "C:\\Program Files (x86)\\OpenVPN\\keys\\user.key"
ns-cert-type server
verb 3
6. Config static route in routers:
In router witch openvpn configuration we must config routing to virtual network for openvpn:
And in other router we must config static protocol route:
UPDATE:
- Add config to revoaction list,
- Add static route.
- Change repository to 1.2.x “jessie”