SUSE Conversations


Openvpn + Auth from eDIr (LDAP)



By: skoltogyan

February 15, 2012 5:24 pm

Reads:627

Comments:0

Rating:0

License:
Free

Download ldapauth01

In this article I will show an example integration of Openvpn + eDir.

After performance of the actions described in this article:

  1. For connection to VPN, users will enter the login and password they use to login to the network of the enterprise.
  2. All users who were connected on VPN, will have identical access rights inside the network (the general list of IP addresses, ports, protocols)

    (In another article, I will describe how to make it so each user VPN has access rights in a network. And how to control from C1 and iManager)
  3. To specify the users that have rights to be connected on VPN. It is possible from C1 or iManager.

Restrictions:

  1. VPN users should enter their login ONLY in lowercase letters. ( if there are uppercase letters in the login – access will be denied )
  2. In the directory, eDir names of users should be unique.
    (For example:
    user1.office1.df
    user1.office2.df
    )

I assume that you are able to:

  • Install the openvpn-server and configure it for operation in a mode WITHOUT KEYS of USERS and With EXTERNAL AUTHENTICATION.
  • Create simple rules in iptables.

So:

This is your server SLES11SP1:

ISP——[eth1](SERVER)[eth0]—-LOCALLAN
eth0 = 172.17.17.10
eth1 = Piblic IP
tun0 – this is will be Virtual Interface ( 10.0.2.0/24 )
DNS=172.17.17.254
DNS=172.17.17.151

  1. All your VPN-users(10.0.2.0/24) should have the full access to these 2 hosts: 172.17.17.200 and 172.17.17.201.
  2. Create the file: /etc/openvpn/ldap/iptsave
    # Generated by iptables-save v1.3.5 on Thu Jan 26 13:46:24 2012
    *filter
    :INPUT ACCEPT [493:38960]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [296:81728]
    -A INPUT -i tun0 -p tcp -m tcp --dport 22:1024 -j DROP
    -A FORWARD -s 172.17.17.0/24 -j ACCEPT
    -A FORWARD -i tun0 -d 172.17.17.0/24 -j ACCEPT
    COMMIT
    # Completed on Thu Jan 26 13:46:24 2012
    
  3. Create the file: /etc/openvpn/ldap/scrptup.sh
    #!/bin/bash
    # Executed after TCP/UDP socket bind and TUN/TAP open
    #
    /usr/sbin/iptables-restore < /etc/openvpn/ldap/iptsave
    

    and chmod to 100755 for this file

  4. server.conf /etc/openvpn/server.conf

    (for example)

    port 1197
    proto udp
    
    dev tun
    
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/nod1firma.ua.crt
    key /etc/openvpn/easy-rsa/keys/nod1firma.ua.key # This file should be kept secret
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem
    
    server 10.0.2.0 255.255.255.0
    
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status /var/log/openvpn/openvpn-status.log
    log-append /var/log/openvpn/openvpn.log
    verb 3
    tls-server
    tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
    tls-timeout 120
    auth MD5
    cipher BF-CBC
    keepalive 10 120
    comp-lzo
    max-clients 100
    # ! ! ! start
    # This is script will be used for Authentication in to the LDAP
    auth-user-pass-verify /etc/openvpn/ldap/ldapauth.pl via-file
    
    tmp-dir /tmp
    # ! ! ! end
    client-cert-not-required
    script-security 3 system
    username-as-common-name
    
    # ! ! ! start
    # This is script will be run after /etc/init.d/openvpn start
    up /etc/openvpn/ldap/scrptup.sh
    # ! ! ! end
    tun-mtu 1500
    fragment 576
    mssfix
    
    # After connection to openvpn at station of the user this record in a routing table will be added
    push "route 172.17.17.0 255.255.255.0"
    # After connection to openvpn at station of the user this records in the DNS table will be inserted
    push "dhcp-option DNS 172.17.17.254"
    push "dhcp-option DNS 172.17.17.151"
    
  5. Download, unpack, and copy the file here: /etc/openvpn/ldap/ldapauth.pl

    and chmod to 100755 for this file.

  6. Create in your eDir group:

    Example: cn=openvpngrp.ou=vpnou.ou=firmaua.o=uaa

  7. Modify strings in the /etc/openvpn/ldap/ldapauth.pl

    my $ldap_server = “A.B.C.D”;

    A.B.C.D – ip address of your server with LDAP(eDir). This is the server with Master or R/W replyc. Allow anonymous access for check users name.

    my $base_dn_user = "o=uaa"
    my $base_dn_group = "o=uaa"
    my $allow_group = "openvpngrp"
    
  8. Create the dir: /var/log/openvpn
  9. Check – in your SLES11SP1 exist perl ?
  10. If it does not exist, add the following perl modules:
    Net::LDAP
    Net::LDAPS

    You can install the modules from YaST or as shown below:

    # cpan
    cpan> install Net::LDAP
    ....
    cpan> install Net::LDAPS
    ....
    cpan>quit
    #
    

All!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Tags: , ,
Categories: Free Tools, SUSE Linux Enterprise Server, Technical Solutions

Comment

RSS