Openvpn + Auth from eDIr (LDAP)


In this article I will show an example integration of Openvpn + eDir.

After performance of the actions described in this article:

  1. For connection to VPN, users will enter the login and password they use to login to the network of the enterprise.
  2. All users who were connected on VPN, will have identical access rights inside the network (the general list of IP addresses, ports, protocols)

    (In another article, I will describe how to make it so each user VPN has access rights in a network. And how to control from C1 and iManager)
  3. To specify the users that have rights to be connected on VPN. It is possible from C1 or iManager.


  1. VPN users should enter their login ONLY in lowercase letters. ( if there are uppercase letters in the login – access will be denied )
  2. In the directory, eDir names of users should be unique.
    (For example:

I assume that you are able to:

  • Install the openvpn-server and configure it for operation in a mode WITHOUT KEYS of USERS and With EXTERNAL AUTHENTICATION.
  • Create simple rules in iptables.


This is your server SLES11SP1:

eth0 =
eth1 = Piblic IP
tun0 – this is will be Virtual Interface ( )

  1. All your VPN-users( should have the full access to these 2 hosts: and
  2. Create the file: /etc/openvpn/ldap/iptsave
    # Generated by iptables-save v1.3.5 on Thu Jan 26 13:46:24 2012
    :INPUT ACCEPT [493:38960]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [296:81728]
    -A INPUT -i tun0 -p tcp -m tcp --dport 22:1024 -j DROP
    -A FORWARD -i tun0 -d -j ACCEPT
    # Completed on Thu Jan 26 13:46:24 2012
  3. Create the file: /etc/openvpn/ldap/
    # Executed after TCP/UDP socket bind and TUN/TAP open
    /usr/sbin/iptables-restore < /etc/openvpn/ldap/iptsave

    and chmod to 100755 for this file

  4. server.conf /etc/openvpn/server.conf

    (for example)

    port 1197
    proto udp
    dev tun
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/
    key /etc/openvpn/easy-rsa/keys/ # This file should be kept secret
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    status /var/log/openvpn/openvpn-status.log
    log-append /var/log/openvpn/openvpn.log
    verb 3
    tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
    tls-timeout 120
    auth MD5
    cipher BF-CBC
    keepalive 10 120
    max-clients 100
    # ! ! ! start
    # This is script will be used for Authentication in to the LDAP
    auth-user-pass-verify /etc/openvpn/ldap/ via-file
    tmp-dir /tmp
    # ! ! ! end
    script-security 3 system
    # ! ! ! start
    # This is script will be run after /etc/init.d/openvpn start
    up /etc/openvpn/ldap/
    # ! ! ! end
    tun-mtu 1500
    fragment 576
    # After connection to openvpn at station of the user this record in a routing table will be added
    push "route"
    # After connection to openvpn at station of the user this records in the DNS table will be inserted
    push "dhcp-option DNS"
    push "dhcp-option DNS"
  5. Download, unpack, and copy the file here: /etc/openvpn/ldap/

    and chmod to 100755 for this file.

  6. Create in your eDir group:

    Example: cn=openvpngrp.ou=vpnou.ou=firmaua.o=uaa

  7. Modify strings in the /etc/openvpn/ldap/

    my $ldap_server = “A.B.C.D”;

    A.B.C.D – ip address of your server with LDAP(eDir). This is the server with Master or R/W replyc. Allow anonymous access for check users name.

    my $base_dn_user = "o=uaa"
    my $base_dn_group = "o=uaa"
    my $allow_group = "openvpngrp"
  8. Create the dir: /var/log/openvpn
  9. Check – in your SLES11SP1 exist perl ?
  10. If it does not exist, add the following perl modules:

    You can install the modules from YaST or as shown below:

    # cpan
    cpan> install Net::LDAP
    cpan> install Net::LDAPS


(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet