OpenVPN with 2-factors authentication

General questions
1

Hi all.
In my company, I have implemented a Vyatta-based VPN access server and use the TLS for endpoint authorization. It works a like a charm until the day I heart about 2-factors authentication. Yes, there is a risk with my setting: for any reason, a lost laptop/tablet can be used by unauthorized guy to connect our system!!!. Therefore, the need of 2-factors authentication came into my mind. After 2 days to work around, I got success to configure the 2-factors authentication on our Vyatta VPN access server. The 1st factor, of course, is our signed certificates that were distributed to the laptop/tablet/smartphone of our executive board. The 2nd factor is an account in our Active Directory. Now, in case our user lost their device, unauthorized people cannot connect to our system due to AD account protection
My worklog as below:

  1. Install the package openvpn-auth-ldap:
    1.1 Add the repository:
    root@VPN-RAS# show system package auto-sync 1 repository squeeze { components main distribution squeeze password "" url http://ftp.de.debian.org/debian username "" }
    1.2 Update the repository root@VPN-RAS:/config/auth# apt-get update Hit http://ftp.de.debian.org squeeze Release.gpg Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en Hit http://ftp.de.debian.org squeeze Release Hit http://ftp.de.debian.org squeeze/main i386 Packages Reading package lists... Done root@VPN-RAS:/config/auth#
    1.3 Install the openvpn-auth-ldap root@VPN-RAS:/config/auth# apt-get install openvpn-auth-ldap Reading package lists... Done Building dependency tree Reading state information... Done openvpn-auth-ldap is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded. root@VPN-RAS:/config/auth#
    (In my case this package was already installed)
    1.4 Copy the openvpn-auth-ldap binary and configuration files into /config/auth. This task is just to make more convenient for you in specification the path to these files in configuration the OpenVPN
    	root@VPN-RAS:/usr# cp /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/
	root@VPN-RAS:~# cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /conf/auth
  2. Prepare the PKI:
    2.1 copy all files in the directory /usr/share/doc/openvpn/examples/easy-rsa/2.0 into /config/auth
    	root@VPN-RAS:/usr/share/doc/openvpn/examples/easy-rsa/2.0# cp * /config/auth/
    2.2 change the file /config/auth/vars according to your company’s information
    2.3 change to directory /config/auth/ then: source ./vars
    2.4 ./ build-ca
    2.5 ./ build-dh
    2.5 ./build-key-server
    2.6 ./build-key
    2.7 Now all generated CA are in the /config/auth/keys root@VPN-RAS:/config/auth/keys# ls 01.pem VPN-RAS.key an-personal-lt.crt index.txt.old 02.pem Toll-PCadmin.crt an-personal-lt.csr revoke-test.pem 03.pem Toll-PCadmin.csr an-personal-lt.key serial 04.pem Toll-PCadmin.key an-private-lt.crt serial.old 05.pem Toll-PCinvoice.crt an-private-lt.csr vang-laptop.crt 06.pem Toll-PCinvoice.csr an-private-lt.key vang-laptop.csr 07.pem Toll-PCinvoice.key ca.crt vang-laptop.key 08.pem an-laptop-ras.crt ca.key vndai-laptop.crt 09.pem an-laptop-ras.csr crl.pem vndai-laptop.csr 0A.pem an-laptop-ras.key dh2048.pem vndai-laptop.key 0B.pem an-note-101.crt index.txt vndai-pc.crt VPN-RAS.crt an-note-101.csr index.txt.attr vndai-pc.csr VPN-RAS.csr an-note-101.key index.txt.attr.old vndai-pc.key
  3. Configuration on server side
    3.1 Configure the OpenVPN in VyOS:
	root@VPN-RAS# show interfaces openvpn vtun0
 description "VPN – Remote Access Server"
 mode server
 openvpn-option "--push route a.b.0.0 c.d.0.0"
 openvpn-option "--push dhcp-option DNS a.b.c.d"
 openvpn-option "--script-security 2 system"
 openvpn-option duplicate-cn
 openvpn-option "plugin /config/auth/openvpn-auth-ldap.so /config/auth/auth-ldap.conf"
 openvpn-option "log-append /var/log/openvpn.log"
 protocol udp
subnet 192.168.215.0/24
 tls {
   	  ca-cert-file /config/auth/keys/ca.crt
     cert-file /config/auth/keys/VPN-RAS.crt
     dh-file /config/auth/keys/dh2048.pem
 	    key-file /config/auth/keys/VPN-RAS.key
 }

3.2 Configure the connection from the VyOS to your Active Directory in the file /config/auth/auth-ldap.conf

root@ VPN-RAS:/config/auth# cat auth-ldap.conf
<LDAP>
        # LDAP server URL
        URL             ldap://a.b.c.d  # your Domain controller

        # Bind DN (If your LDAP server doesn't support anonymous binds)
         BindDN         "cn=ADBinder,OU=All Users,DC=abc,DC=com"

        # Bind Password
         Password       "xxxxxxxxxx"

        # Network timeout (in seconds)
        Timeout         15

        
        
</LDAP>

<Authorization>
        # Base DN
        BaseDN          "DC=abc,DC=com"

        # User Search Filter
        SearchFilter    "(sAMAccountName=%u)"

        # Require Group Membership
        RequireGroup    false	# “false” to ignore group searching, otherwise you have to specify the group as below 


        #<Group>
        #       BaseDN          "DC=dairy-farm,DC=com,DC=vn"
        #       SearchFilter    "((cn=DFVN-VPN-Users))"
        #</Group>
</Authorization>
  1. Configure at client side:
    4.1 download 3 files ca.crt, .crt and .key from /config/auth/keys/ to the local folder in your PC. In my case, I put in c:\CA
    4.2 Create an openVPN configuration file similar to the example below:
 client
dev tun
proto udp
remote a.b.c.d 1194
ca "C:\\CA\\ ca.crt"
cert "C:\\ca\\ mobile-user-01.crt"
key "C:\\ca\\mobile-user-01.key"
auth-user-pass
auth-nocache
mute-replay-warnings

On the tablet, the configuration file should be like

client

dev tun

proto udp

remote a.b.c.d 1194



<ca>
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIJAOfey0l1pkiOMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV
111111111111111DVQQIEwNIQ00xDDAKBgNVBAcTA0hDTTENMAsGA1UEChMEREZW
222222222222222HREZWTiBDQTElMCMGCSqGSIb3DQEJARYWYW5fbmd1eWVuQGdp
333333333333333eFw0xNjAyMTYxNDUxMDdaFw0yNjAyMTMxNDUxMDdaMHExCzAJ
BgNVBAYTAlZOMQwwCgYDVQQIEwNIQ00xDDAKBgNVBAcTA0hDTTENMAsGA1UEChME
REZWTjEQMA4GA1UEAxMHREZWTiBDQTElMCMGCSqGSIb3DQEJARYWYW5fbmd1eWVu
QGdpYW50LmNvbS52bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK/s
2MM+cvyod4Knl/GWOmNq8sNvDmyvBr+ArPtEZc3b4jQJWjl+YrhmY2k/dDKFWS2C
mP6hN4pGZBwdAewYmApFTb539rncYSvwn4zOlXAZs/+OaiT9CUZjdQ4OeV7pbwR2
vPWMCWrvfhEkZsPxfbyG8fCpTqrNnQRgcApjfr37VDCgYRy1LSLGYjTkELqRc3NW
yCo4caRwkL9b3kmAw5TfdxmTqtXmuoep0mFuhlb7EVsUKmniV+B3vcLEkXK1VliC
E8TEBUGUbfBXB8rdekNexPeaA4P/CAZ7AnIkk5cDnO/PYf9dLnyJHooTHEe4DKzV
JZ67OPqOH9MxTEAFrpkCAwEAAaOB1jCB0zAdBgNVHQ4EFgQUnkoyO77UEhtYQAPq
D3i/f/rmYQEwgaMGA1UdIwSBmzCBmIAUnkoyO77UEhtYQAPqD3i/f/rmYQGhdaRz
MHExCzAJBgNVBAYTAlZOMQwwCgYDVQQIEwNIQ00xDDAKBgNVBAcTA0hDTTENMAsG
A1UEChMEREZWTjEQMA4GA1UEAxMHREZWTiBDQTElMCMGCSqGSIb3DQEJARYWYW5f
bmd1eWVuQGdpYW50LmNvbS52boIJAOfey0l1pkiOMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggEBADHaA0K45hK23c7gIcRukOXI1GaLKiIQUz+W0JUEK9b9
UKQmwt+PURlmtKSUo52unfvYEf2iegAxNVySzmS3Lfbnov+hlFSLTFMeixGQMgID
71jB/0Me6cOIVkPiLcIoMFv+YQgVDAqVuOMZ7Cy2yORXQNNU6VyJTxp7wtaRszBQ
hrCOZ8ldOflRooM11BQcfh4QNAUQhIC77xhxS3eiBe8aZokajY3JFuvyIAp/HhLw
uRrJyD/e43N/RAavy2wu3oeGvNPpG/vcOFIbaTNwVkgwBZu864mvnYD4VVOLS86Q
O92ihtPBzbbhaHpf3jRP5pDCZLApc2kDoGb38ZqXsWQ=
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=VN, ST=HCM, L=HCM, O=DFVN, CN=DFVN CA/emailAddress=an_nguyen@giant.com.vn
        Validity
            Not Before: Feb 19 04:50:11 2016 GMT
            Not After : Feb 16 04:50:11 2026 GMT
        Subject: C=VN, ST=HCM, L=HCM, O=DFVN, CN=an-note-101/emailAddress=an_nguyen@giant.com.vn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c2:1d:61:39:ea:07:dd:89:a2:e8:1f:2b:38:84:
                    ad:ff:a4:45:43:52:d4:f8:b1:9c:65:b3:49:06:28:
                    70:29:77:84:be:be:4d:3d:81:9d:28:e3:e2:1a:68:
                    4b:fc:c7:66:5f:a8:b8:fa:ee:4a:6d:1f:5a:7f:18:
                    1a:b3:15:d4:6f:9b:a1:c2:aa:64:7b:b5:52:31:61:
                    59:2a:84:2b:a5:c2:3f:7e:48:fb:c4:dc:71:d7:39:
                    32:d3:a6:7d:82:d2:57:8c:a1:a1:23:f1:20:ef:14:
                    95:49:07:3f:a3:b0:c7:a1:a7:ed:7d:9d:8a:63:9a:
                    c7:08:89:a6:ff:65:ed:d7:bd:ad:ce:c0:3c:d9:da:
                    92:b0:aa:eb:0a:89:cd:12:05:ba:f3:75:02:e5:fc:
                    94:ab:94:36:b3:54:e2:68:39:e3:ca:6d:1a:21:26:
                    05:ef:85:b7:54:8f:91:84:71:c2:ba:22:d1:f1:99:
                    b0:de:4c:c7:9b:14:c3:69:16:5e:9b:c4:f6:66:c4:
                    70:b0:fc:59:ac:96:d8:22:e3:c0:97:07:64:aa:78:
                    41:74:28:5b:ef:e1:c0:53:6e:a3:ab:18:52:09:57:
                    05:03:28:25:21:6b:97:de:0e:f2:4a:f9:c7:e4:3e:
                    7f:3b:cb:bd:6d:6a:0f:a0:70:2a:e9:11:fb:06:e9:
                    b4:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                FC:7C:4A:C4:56:9D:7E:4E:C7:07:45:A4:27:3D:D0:05:A7:DE:F5:B9
            X509v3 Authority Key Identifier: 
                keyid:9E:4A:32:3B:BE:D4:12:1B:58:40:03:EA:0F:78:BF:7F:FA:E6:61:01
                DirName:/C=VN/ST=HCM/L=HCM/O=DFVN/CN=DFVN CA/emailAddress=an_nguyen@giant.com.vn
                serial:E7:DE:CB:49:75:A6:48:8E

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha1WithRSAEncryption
        88:f7:bb:b3:6c:55:5b:5d:b9:19:99:82:51:f6:89:a3:27:cf:
        66:b2:d7:13:c4:5c:98:4f:67:80:5a:fe:ee:b5:de:09:52:67:
        29:97:97:ad:dc:ff:db:04:50:4d:c3:11:31:1c:44:74:b1:2c:
        56:68:73:a6:71:15:3e:51:0f:a0:3f:34:2c:27:f5:02:87:5b:
        af:f5:c1:46:56:27:b8:0f:78:c3:a7:8e:1e:44:51:66:5a:6b:
        6a:ab:96:ce:02:9e:38:5f:a8:24:1a:1f:78:bd:13:02:f8:53:
        11:a3:2d:e9:5b:12:f4:45:0c:34:7c:c1:1b:b9:dc:95:ee:05:
        de:1f:a8:4c:4d:11:d7:63:24:49:28:6c:2c:77:c9:73:c9:3f:
        3e:77:a6:12:6b:2f:73:26:0f:01:96:ed:0d:4c:23:cf:82:5d:
        a6:56:31:8f:e7:87:90:e1:03:1f:25:c8:6c:56:d8:9a:73:81:
        ec:3b:8d:74:e0:cf:c0:25:81:02:f0:d8:c2:1f:ca:74:a3:6e:
        07:12:33:59:95:21:b5:e9:4b:d0:df:ba:78:71:ce:b9:19:39:
        08:56:78:75:6a:20:8c:f1:df:a6:e3:7a:8d:fb:c3:24:1e:3f:
        f2:78:36:7b:39:93:5e:f6:0f:0c:e5:6c:a6:78:8a:3d:ee:ba:
        f4:a1:38:a3
-----BEGIN CERTIFICATE-----
MIIEiDCCA3CgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJWTjEM
111111111111111111wwCgYDVQQHEwNIQ00xDTALBgNVBAoTBERGVk4xEDAOBgNV
222222222222222222AjBgkqhkiG9w0BCQEWFmFuX25ndXllbkBnaWFudC5jb20u
333333333333333333DQ1MDExWhcNMjYwMjE2MDQ1MDExWjB1MQswCQYDVQQGEwJW
TjEMMAoGA1UECBMDSENNMQwwCgYDVQQHEwNIQ00xDTALBgNVBAoTBERGVk4xFDAS
BgNVBAMTC2FuLW5vdGUtMTAxMSUwIwYJKoZIhvcNAQkBFhZhbl9uZ3V5ZW5AZ2lh
bnQuY29tLnZuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwh1hOeoH
3Ymi6B8rOISt/6RFQ1LU+LGcZbNJBihwKXeEvr5NPYGdKOPiGmhL/MdmX6i4+u5K
bR9afxgasxXUb5uhwqpke7VSMWFZKoQrpcI/fkj7xNxx1zky06Z9gtJXjKGhI/Eg
7xSVSQc/o7DHoaftfZ2KY5rHCImm/2Xt172tzsA82dqSsKrrConNEgW683UC5fyU
q5Q2s1TiaDnjym0aISYF74W3VI+RhHHCuiLR8Zmw3kzHmxTDaRZem8T2ZsRwsPxZ
rJbYIuPAlwdkqnhBdChb7+HAU26jqxhSCVcFAyglIWuX3g7ySvnH5D5/O8u9bWoP
oHAq6RH7Bum0uwIDAQABo4IBJTCCASEwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0E
IBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT8fErE
Vp1+TscHRaQnPdAFp971uTCBowYDVR0jBIGbMIGYgBSeSjI7vtQSG1hAA+oPeL9/
+uZhAaF1pHMwcTELMAkGA1UEBhMCVk4xDDAKBgNVBAgTA0hDTTEMMAoGA1UEBxMD
SENNMQ0wCwYDVQQKEwRERlZOMRAwDgYDVQQDEwdERlZOIENBMSUwIwYJKoZIhvcN
AQkBFhZhbl9uZ3V5ZW5AZ2lhbnQuY29tLnZuggkA597LSXWmSI4wEwYDVR0lBAww
CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4IBAQCI97uz
bFVbXbkZmYJR9omjJ89mstcTxFyYT2eAWv7utd4JUmcpl5et3P/bBFBNwxExHER0
sSxWaHOmcRU+UQ+gPzQsJ/UCh1uv9cFGVie4D3jDp44eRFFmWmtqq5bOAp44X6gk
Gh94vRMC+FMRoy3pWxL0RQw0fMEbudyV7gXeH6hMTRHXYyRJKGwsd8lzyT8+d6YS
ay9zJg8Blu0NTCPPgl2mVjGP54eQ4QMfJchsVtiac4HsO4104M/AJYEC8NjCH8p0
o24HEjNZlSG16UvQ37p4cc65GTkIVnh1aiCM8d+m43qN+8MkHj/yeDZ7OZNe9g8M
5WymeIo97rr0oTij
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwh1hOeoH3Ymi6B8rOISt/6RFQ1LU+LGcZbNJBihwKXeEvr5N
11111111111111111111+u5KbR9afxgasxXUb5uhwqpke7VSMWFZKoQrpcI/fkj7
22222222222222222222I/Eg7xSVSQc/o7DHoaftfZ2KY5rHCImm/2Xt172tzsA8
33333333333333333335fyUq5Q2s1TiaDnjym0aISYF74W3VI+RhHHCuiLR8Zmw
3kzHmxTDaRZem8T2ZsRwsPxZrJbYIuPAlwdkqnhBdChb7+HAU26jqxhSCVcFAygl
IWuX3g7ySvnH5D5/O8u9bWoPoHAq6RH7Bum0uwIDAQABAoIBAHlaOq0lFNO3twNc
cP29XLXj8XUcNI5hIwAlbDKQV0ZlNLS2bb1U6XZluLV/nHmkAuksprAhBqBfqIip
/g8VR6CacC8trPH1sjOywzakOFFBNcZyRAuXMQg29wKAJBkD/L2rUf0RQuCUQpvM
D0n7O2JhhEQymBCa83Dv9VnXVDC5iGdLyJvtVsE+Ua6L+bnPl4y2QGe+UDN2hMUU
9GiYE1gfB0JgF32UiRUjqMMkk0pdL2E+9YpET9P+tkH3m++cMEbNclPr0Wf1Ly6/
Mwwhq/LyamHuTIeffIfTFCgK0zi1BEvmMlxjL8J8m7yvRNGS/4xfl3HWSrpFp9TX
YOakEBECgYEA+rfYcAL8vCkpl6c0N7200FI3YCFMPAHW0fOlOKnx2+FgV4Witejl
lGO/Eg4frFofqLvx1hqMzMtqaLynRYiG0vR9t2rcqFafTvE9hxUcRUjFyJauRNCA
NkWQWtykCSV10Umk+IPlIuQeECTWTR0vEzsgBeLy8I6/KLHkcwCwM7MCgYEAxjRD
4dxIv7Ak0ESQP0KTOktHEFUqEGJEWxj9KgfIml6qelsIyKoOdX7b8ghcTpQ+zx5c
HR06EKp42N94mi03Wn6Bhp9q66Pq1Qrx39X0MdQ9NsyqJ+GNw5FqqmLAhNO1IfLe
cR/ha0mHn21095HukUPqEfH208kqLoTv2XoxltkCgYATqtpSpxlWVVBK8jXZbYtC
kECBzPri9i342EkMseAkJIDfPL9vz646vrxdWThI1+UF4oBtEDYdVpOpVas1fCk/
YSh/e+WFWw4yLiBqeVB3aucA/jj7cvOrzjctuYMwqHyeh01mpUoTO5vUHl+lOvXX
Z1ryu0PddQUv1wyZrOMlmwKBgG8qHyyNVUwVqgAZhGHGoDagw+G4MlhwFPCXCl7J
cMyL7cekST/qiSODHC8aW1NDOBsIZxd5Lfjs88yHQegPFi2uKE1uGhTBodMNSW2G
XWiZJiAXGBQ4ID+gzpdzvZCCAORiiDogbFi1K9jSFjlIYuqckaqw8AQGnp7qtm9e
ZnO5AoGAMlBgg0CZczZAT7m0pR0E7yjchkkLsZ6QEwg6nizUqJ3AMj2AZeRKVwA5
ptTjyT8jGnTemGqSx9WMEi1YNfhKQ1dgOaDpPskrVd7ay5D9e9IZYBxqZuJyETvg
a/YPHFrM/bjTQ4MnYp0B1XXX0AglO4+H3nDhX4Hco7hE5y0znFY=
-----END RSA PRIVATE KEY-----
</key>

auth-user-pass
auth-nocache
mute-replay-warnings
  1. Test the connection.

Voila, you have connected to your company network via 2-factors VPN.

Have fun with it.

Annduy

1 Like
2

Hi,
having issues installing openvpn-auth-ldap plugin

----- my Vyos configuratoin --------------

admin@TEMP-2# show system package
auto-sync 1
repository squeeze {
components main
distribution squeeze
password “”
url Index of /debian
username “”
}
[edit]

------------ end of configuration -------------------

---------------- output I’m betting for apt-get ----------------------------
root@TEMP-2:/home/admin# sudo apt-get update
Ign http://ftp.de.debian.org squeeze Release.gpg
Ign Index of /debian squeeze/main Translation-en
Ign http://ftp.de.debian.org squeeze Release
Err http://ftp.de.debian.org squeeze/main amd64 Packages
404 Not Found
W: Failed to fetch http://ftp.de.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz 404 Not Found

E: Some index files failed to download, they have been ignored, or old ones used instead.
root@TEMP-2:/home/admin# sudo apt-get install openvpn-auth-ldap
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package openvpn-auth-ldap

------------------ end of output ----------------------------------------------

can you suggest on what I’m doing wrong?
thank you.

3

Hi,
In fact Debian Squeeze did stop the update since 2016-02-29

However, no worry we can use the archive repository

 vyos@vyos# show system package
 repository squeeze {
     components main
     distribution squeeze
     url http://archive.debian.org/debian
 }

Then it should work

root@vyos:~# apt-get update
Get:1 http://archive.debian.org squeeze Release.gpg [1655 B]
Ign http://archive.debian.org/debian/ squeeze/main Translation-en
Get:2 http://archive.debian.org squeeze Release [96.0 kB]
Get:3 http://archive.debian.org squeeze/main amd64 Packages [8370 kB]
Fetched 8468 kB in 17s (498 kB/s)
Reading package lists... Done
root@vyos:~#  apt-get install openvpn-auth-ldap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libobjc2
The following NEW packages will be installed:
  libobjc2 openvpn-auth-ldap
0 upgraded, 2 newly installed, 0 to remove and 1 not upgraded.
Need to get 206 kB of archives.
After this operation, 598 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.debian.org/debian/ squeeze/main libobjc2 amd64 4.4.5-8 [161 kB]
Get:2 http://archive.debian.org/debian/ squeeze/main openvpn-auth-ldap amd64 2.0.3-1 [45.8 kB]
Fetched 206 kB in 1s (114 kB/s)
Selecting previously deselected package libobjc2.
(Reading database ... 38737 files and directories currently installed.)
Unpacking libobjc2 (from .../libobjc2_4.4.5-8_amd64.deb) ...
Selecting previously deselected package openvpn-auth-ldap.
Unpacking openvpn-auth-ldap (from .../openvpn-auth-ldap_2.0.3-1_amd64.deb) ...
Setting up libobjc2 (4.4.5-8) ...
Setting up openvpn-auth-ldap (2.0.3-1) ...

Good luck.

4

Hi Sir, I’ve followed your instruction but could not connect my users. I’m receiving error: AUTH: Received control message: AUTH_FAILED from my client pc

5

Hi Woodie03.
I’m so happy with the fact that there is someone is still interesting in a 4 years old post, :slight_smile: . Personally, with your mentioned error message, I believe probably the content in the configuration file auth-ldap.conf is still not correct. unfortunately, I have upgraded our VPN server to time-based one time password (TOTP), therefore I cannot share with you the configuration that I created long time ago. Anyway, let me try to rebuild the lab in this weekend then I will come back with you in the next week.

Cheers,

An

6

Hi An,

Just read this reply from you, hope you’re doing good. We’re still on a process of doing this but sad to say, we couldn’t do successfully. But we’re still trying to make it work.

THanks!