Openvpn + Auth from eDIr (LDAP)
In this article I will show an example integration of Openvpn + eDir.
After performance of the actions described in this article:
- For connection to VPN, users will enter the login and password they use to login to the network of the enterprise.
- All users who were connected on VPN, will have identical access rights inside the network (the general list of IP addresses, ports, protocols)
(In another article, I will describe how to make it so each user VPN has access rights in a network. And how to control from C1 and iManager) - To specify the users that have rights to be connected on VPN. It is possible from C1 or iManager.
Restrictions:
- VPN users should enter their login ONLY in lowercase letters. ( if there are uppercase letters in the login – access will be denied )
- In the directory, eDir names of users should be unique.
(For example:
user1.office1.df
user1.office2.df
)
I assume that you are able to:
- Install the openvpn-server and configure it for operation in a mode WITHOUT KEYS of USERS and With EXTERNAL AUTHENTICATION.
- Create simple rules in iptables.
So:
This is your server SLES11SP1:
ISP——[eth1](SERVER)[eth0]—-LOCALLAN
eth0 = 172.17.17.10
eth1 = Piblic IP
tun0 – this is will be Virtual Interface ( 10.0.2.0/24 )
DNS=172.17.17.254
DNS=172.17.17.151
- All your VPN-users(10.0.2.0/24) should have the full access to these 2 hosts: 172.17.17.200 and 172.17.17.201.
- Create the file: /etc/openvpn/ldap/iptsave
# Generated by iptables-save v1.3.5 on Thu Jan 26 13:46:24 2012 *filter :INPUT ACCEPT [493:38960] :FORWARD DROP [0:0] :OUTPUT ACCEPT [296:81728] -A INPUT -i tun0 -p tcp -m tcp --dport 22:1024 -j DROP -A FORWARD -s 172.17.17.0/24 -j ACCEPT -A FORWARD -i tun0 -d 172.17.17.0/24 -j ACCEPT COMMIT # Completed on Thu Jan 26 13:46:24 2012
- Create the file: /etc/openvpn/ldap/scrptup.sh
#!/bin/bash # Executed after TCP/UDP socket bind and TUN/TAP open # /usr/sbin/iptables-restore < /etc/openvpn/ldap/iptsave
and chmod to 100755 for this file
- server.conf /etc/openvpn/server.conf
(for example)
port 1197 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/nod1firma.ua.crt key /etc/openvpn/easy-rsa/keys/nod1firma.ua.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.0.2.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 tls-server tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 tls-timeout 120 auth MD5 cipher BF-CBC keepalive 10 120 comp-lzo max-clients 100 # ! ! ! start # This is script will be used for Authentication in to the LDAP auth-user-pass-verify /etc/openvpn/ldap/ldapauth.pl via-file tmp-dir /tmp # ! ! ! end client-cert-not-required script-security 3 system username-as-common-name # ! ! ! start # This is script will be run after /etc/init.d/openvpn start up /etc/openvpn/ldap/scrptup.sh # ! ! ! end tun-mtu 1500 fragment 576 mssfix # After connection to openvpn at station of the user this record in a routing table will be added push "route 172.17.17.0 255.255.255.0" # After connection to openvpn at station of the user this records in the DNS table will be inserted push "dhcp-option DNS 172.17.17.254" push "dhcp-option DNS 172.17.17.151"
- Download, unpack, and copy the file here: /etc/openvpn/ldap/ldapauth.pl
and chmod to 100755 for this file.
- Create in your eDir group:
Example: cn=openvpngrp.ou=vpnou.ou=firmaua.o=uaa
- Modify strings in the /etc/openvpn/ldap/ldapauth.pl
my $ldap_server = “A.B.C.D”;
A.B.C.D – ip address of your server with LDAP(eDir). This is the server with Master or R/W replyc. Allow anonymous access for check users name.
my $base_dn_user = "o=uaa" my $base_dn_group = "o=uaa" my $allow_group = "openvpngrp"
- Create the dir: /var/log/openvpn
- Check – in your SLES11SP1 exist perl ?
- If it does not exist, add the following perl modules:
Net::LDAP Net::LDAPS
You can install the modules from YaST or as shown below:
# cpan cpan> install Net::LDAP .... cpan> install Net::LDAPS .... cpan>quit #
All!
No comments yet