Openvpn + Auth from eDIr (LDAP)

In this article I will show an example integration of Openvpn + eDir.

After performance of the actions described in this article:

1. For connection to VPN, users will enter the login and password they use to login to the network of the enterprise.
2. All users who were connected on VPN, will have identical access rights inside the network (the general list of IP addresses, ports, protocols)
   
   (In another article, I will describe how to make it so each user VPN has access rights in a network. And how to control from C1 and iManager)
3. To specify the users that have rights to be connected on VPN. It is possible from C1 or iManager.

Restrictions:

1. VPN users should enter their login ONLY in lowercase letters. ( if there are uppercase letters in the login – access will be denied )
2. In the directory, eDir names of users should be unique.
   (For example:
   user1.office1.df
   user1.office2.df
   )

I assume that you are able to:

• Install the openvpn-server and configure it for operation in a mode WITHOUT KEYS of USERS and With EXTERNAL AUTHENTICATION.
• Create simple rules in iptables.

So:

This is your server SLES11SP1:

ISP——[eth1](SERVER)[eth0]—-LOCALLAN
eth0 = 172.17.17.10
eth1 = Piblic IP
tun0 – this is will be Virtual Interface ( 10.0.2.0/24 )
DNS=172.17.17.254
DNS=172.17.17.151

1. All your VPN-users(10.0.2.0/24) should have the full access to these 2 hosts: 172.17.17.200 and 172.17.17.201.
2. Create the file: /etc/openvpn/ldap/iptsave

   # Generated by iptables-save v1.3.5 on Thu Jan 26 13:46:24 2012
   *filter
   :INPUT ACCEPT [493:38960]
   :FORWARD DROP [0:0]
   :OUTPUT ACCEPT [296:81728]
   -A INPUT -i tun0 -p tcp -m tcp --dport 22:1024 -j DROP
   -A FORWARD -s 172.17.17.0/24 -j ACCEPT
   -A FORWARD -i tun0 -d 172.17.17.0/24 -j ACCEPT
   COMMIT
   # Completed on Thu Jan 26 13:46:24 2012
   

3. Create the file: /etc/openvpn/ldap/scrptup.sh

   #!/bin/bash
   # Executed after TCP/UDP socket bind and TUN/TAP open
   #
   /usr/sbin/iptables-restore < /etc/openvpn/ldap/iptsave
   

   and chmod to 100755 for this file

4. server.conf /etc/openvpn/server.conf

   (for example)

   port 1197
   proto udp
   
   dev tun
   
   ca /etc/openvpn/easy-rsa/keys/ca.crt
   cert /etc/openvpn/easy-rsa/keys/nod1firma.ua.crt
   key /etc/openvpn/easy-rsa/keys/nod1firma.ua.key # This file should be kept secret
   dh /etc/openvpn/easy-rsa/keys/dh1024.pem
   
   server 10.0.2.0 255.255.255.0
   
   ifconfig-pool-persist ipp.txt
   keepalive 10 120
   comp-lzo
   persist-key
   persist-tun
   status /var/log/openvpn/openvpn-status.log
   log-append /var/log/openvpn/openvpn.log
   verb 3
   tls-server
   tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
   tls-timeout 120
   auth MD5
   cipher BF-CBC
   keepalive 10 120
   comp-lzo
   max-clients 100
   # ! ! ! start
   # This is script will be used for Authentication in to the LDAP
   auth-user-pass-verify /etc/openvpn/ldap/ldapauth.pl via-file
   
   tmp-dir /tmp
   # ! ! ! end
   client-cert-not-required
   script-security 3 system
   username-as-common-name
   
   # ! ! ! start
   # This is script will be run after /etc/init.d/openvpn start
   up /etc/openvpn/ldap/scrptup.sh
   # ! ! ! end
   tun-mtu 1500
   fragment 576
   mssfix
   
   # After connection to openvpn at station of the user this record in a routing table will be added
   push "route 172.17.17.0 255.255.255.0"
   # After connection to openvpn at station of the user this records in the DNS table will be inserted
   push "dhcp-option DNS 172.17.17.254"
   push "dhcp-option DNS 172.17.17.151"
   

5. Download, unpack, and copy the file here: /etc/openvpn/ldap/ldapauth.pl

   and chmod to 100755 for this file.

6. Create in your eDir group:

   Example: cn=openvpngrp.ou=vpnou.ou=firmaua.o=uaa

7. Modify strings in the /etc/openvpn/ldap/ldapauth.pl

   my $ldap_server = “A.B.C.D”;

   A.B.C.D – ip address of your server with LDAP(eDir). This is the server with Master or R/W replyc. Allow anonymous access for check users name.

   my $base_dn_user = "o=uaa"
   my $base_dn_group = "o=uaa"
   my $allow_group = "openvpngrp"
   

8. Create the dir: /var/log/openvpn
9. Check – in your SLES11SP1 exist perl ?
10. If it does not exist, add the following perl modules:

    Net::LDAP
    Net::LDAPS

    You can install the modules from YaST or as shown below:

    # cpan
    cpan> install Net::LDAP
    ....
    cpan> install Net::LDAPS
    ....
    cpan>quit
    #
    

All!