OPENVPN with ldap User-Authentication: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Install= *sudo apt install openvpn openvpn-auth-ldap =Server= ==on ldap server== *samba-tool group add homeoffice *samba-tool user create openvpn W!rkl1cHs3Hr…“) |
(kein Unterschied)
|
Aktuelle Version vom 19. März 2020, 13:42 Uhr
Install
- sudo apt install openvpn openvpn-auth-ldap
Server
on ldap server
- samba-tool group add homeoffice
- samba-tool user create openvpn W!rkl1cHs3HrG3he!m
create and add users to group
- samba-tool user create hw1 s3HrG3he!m
- samba-tool group addmembers homeoffice hw1
Create DH Key
- cd /etc/openvpn
- openssl dhparam -out dh2048.pem 2048
Place also openvpn-ca.crt openvpn-linux.crt openvpn-linux.key in this directory
Server Config
- vi /etc/openvpn/homeoffice.conf
dev tun mode server tls-server port 5000 topology subnet server 172.31.2.0 255.255.255.0 push "route 192.168.95.0 255.255.255.0" push "dhcp-option DOMAIN vulkan.int" push "dhcp-option DNS 192.168.95.10" cipher AES-256-CBC link-mtu 1542 status /tmp/cool-vpn.status keepalive 10 30 client-to-client max-clients 150 verb 3 dh /etc/openvpn/dh2048.pem ca /etc/openvpn/openvpn-ca.crt cert /etc/openvpn/openvpn-linux.crt key /etc/openvpn/openvpn-linux.key client-cert-not-required compress persist-key persist-tun client-config-dir client username-as-common-name plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login script-security 3
auth-ldap.conf
<LDAP> URL ldaps://mero.vulkan.int BindDN "CN=openvpn,CN=Users,DC=vulkan,DC=int" Password "W!rkl1cHs3HrG3he!m" Timeout 15 TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File TLSCACertFile /etc/openvpn/openvpn-ca.crt </LDAP> <Authorization> BaseDN "dc=vulkan,dc=int" SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=homeoffice,CN=Users,DC=vulkan,DC=int))" RequireGroup false </Authorization>
Client
Client Config
port 5000 dev tun0 remote neo.harirbo.net tls-client cipher AES-256-CBC link-mtu 1542 mssfix 1450 pull compress verb 3 auth-user-pass setenv CLIENT_CERT 0 <ca> -----BEGIN CERTIFICATE----- place your cacert here -----END CERTIFICATE----- </ca>