Differences

This shows you the differences between two versions of the page.

--- openvpn [2018/02/13 15:01] – skipidar
+++ openvpn [2020/12/27 20:35] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== OpenVpn ======
-=== Joining OpenVpn to a Microsoft Active Directory ===
+==== Joining OpenVpn to a Microsoft Active Directory ====
 To domain join the OpenVpn server do the following:
@@ Line 49: / Line 49: @@
-=== Configs ===
+==== Configs ====
+The key "vpn.server.routing.private_network.0" is important to define which CIDR block will be routed through the VPN server.
 <code>
@@ Line 55: / Line 56: @@
 {
   "Default": {
-    "admin_ui.https.ip_address": "all",
+ "admin_ui.https.ip_address": "eth0",
-    "admin_ui.https.port": "943",
+  "admin_ui.https.port": "943",
-    "auth.ldap.0.name": "My LDAP servers",
+  "aui.eula_version": "2",
-    "auth.ldap.0.ssl_verify": "never",
+  "auth.ldap.0.add_req": "memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local",
-    "auth.ldap.0.timeout": "4",
+  "auth.ldap.0.bind_dn": "CN=s000001, OU=Users, OU=basic, DC=basic, DC=local",
-    "auth.ldap.0.use_ssl": "never",
+  "auth.ldap.0.bind_pw": "komumisa76!",
-    "auth.module.type": "local",
+  "auth.ldap.0.name": "My LDAP servers",
-    "auth.pam.0.service": "openvpnas",
+  "auth.ldap.0.server.0.host": "21.1.3.174",
-    "auth.radius.0.acct_enable": "false",
+  "auth.ldap.0.server.1.host": "21.1.2.35",
-    "auth.radius.0.name": "My Radius servers",
+  "auth.ldap.0.ssl_verify": "never",
-    "cs.cws_proto_v2": "true",
+  "auth.ldap.0.timeout": "4",
-    "cs.https.ip_address": "all",
+  "auth.ldap.0.uname_attr": "sAMAccountName",
-    "cs.https.port": "943",
+  "auth.ldap.0.use_ssl": "never",
-    "cs.prof_sign_web": "true",
+  "auth.ldap.0.users_base_dn": "OU=Users, OU=basic, DC=basic, DC=local",
-    "host.name": "34.244.71.201",
+  "auth.module.type": "ldap",
-    "sa.initial_run_groups.0": "web_group",
+  "auth.pam.0.service": "openvpnas",
-    "sa.initial_run_groups.1": "openvpn_group",
+  "auth.radius.0.acct_enable": "false",
-    "vpn.client.basic": "false",
+  "auth.radius.0.name": "My Radius servers",
-    "vpn.client.config_text": "cipher AES-128-CBC",
+  "cs.cws_proto_v2": "true",
-    "vpn.client.routing.inter_client": "false",
+  "cs.https.ip_address": "eth0",
-    "vpn.client.routing.reroute_dns": "false",
+  "cs.https.port": "943",
-    "vpn.client.routing.reroute_gw": "false",
+  "cs.prof_sign_web": "true",
-    "vpn.daemon.0.client.netmask_bits": "20",
+  "host.name": "34.245.33.33",
-    "vpn.daemon.0.client.network": "172.27.224.0",
+  "sa.initial_run_groups.0": "web_group",
-    "vpn.daemon.0.listen.ip_address": "all",
+  "sa.initial_run_groups.1": "openvpn_group",
-    "vpn.daemon.0.listen.port": "443",
+  "vpn.client.basic": "false",
-    "vpn.daemon.0.listen.protocol": "tcp",
+  "vpn.client.config_text": "cipher AES-128-CBC",
-    "vpn.daemon.0.server.ip_address": "all",
+  "vpn.client.routing.inter_client": "false",
-    "vpn.server.config_text": "cipher AES-128-CBC",
+  "vpn.client.routing.reroute_dns": "false",
-    "vpn.server.daemon.enable": "true",
+  "vpn.client.routing.reroute_gw": "false",
-    "vpn.server.daemon.tcp.n_daemons": 1,
+  "vpn.daemon.0.client.netmask_bits": "20",
-    "vpn.server.daemon.tcp.port": "443",
+  "vpn.daemon.0.client.network": "172.27.224.0",
-    "vpn.server.daemon.udp.n_daemons": 1,
+  "vpn.daemon.0.listen.ip_address": "eth0",
-    "vpn.server.daemon.udp.port": "1194",
+  "vpn.daemon.0.listen.port": "443",
-    "vpn.server.group_pool.0": "172.27.240.0/20",
+  "vpn.daemon.0.listen.protocol": "tcp",
-    "vpn.server.nat.masquerade": "true",
+  "vpn.daemon.0.server.ip_address": "eth0",
-    "vpn.server.port_share.enable": "true",
+  "vpn.server.config_text": "cipher AES-128-CBC",
-    "vpn.server.port_share.ip_address": "1.2.3.4",
+  "vpn.server.daemon.enable": "true",
-    "vpn.server.port_share.port": "1234",
+  "vpn.server.daemon.tcp.n_daemons": "1",
-    "vpn.server.port_share.service": "admin+client",
+  "vpn.server.daemon.tcp.port": "443",
-    "vpn.server.routing.private_access": "nat",
+  "vpn.server.daemon.udp.n_daemons": "1",
-    "vpn.tls_refresh.do_reauth": "true",
+  "vpn.server.daemon.udp.port": "1194",
-    "vpn.tls_refresh.interval": "360"
+  "vpn.server.group_pool.0": "172.27.240.0/20",
+  "vpn.server.nat.masquerade": "true",
+  "vpn.server.port_share.enable": "true",
+  "vpn.server.port_share.ip_address": "1.2.3.4",
+  "vpn.server.port_share.port": "1234",
+  "vpn.server.port_share.service": "admin+client",
+  "vpn.server.routing.private_access": "nat",
+  "vpn.tls_refresh.do_reauth": "true",
+  "vpn.tls_refresh.interval": "360",
+  "vpn.server.routing.private_network.0": "21.1.0.0/16"
   },
   "_INTERNAL": {
@@ Line 106: / Line 116: @@
 </code>
+Alternative via API
+<code>
+/usr/local/openvpn_as/scripts/bash sacli ConfigQuery
+</code>
+==== API =====
+Configure via Command line:
+<code>
+cd /usr/local/openvpn_as/scripts/
+bash sacli --user __DEFAULT__ --key "vpn.daemon.0.server.ip_address" --value "all" ConfigPut
+bash sacli --user __DEFAULT__ --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut
+bash sacli --user __DEFAULT__ --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut
+bash sacli --user __DEFAULT__ --key "vpn.server.daemon.tcp.port" --value "443" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.add_req" --value "memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.bind_dn" --value "CN=",{ "Ref" : "ADBindUser" },", OU=Users, OU=basic, DC=basic, DC=local" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.bind_pw" --value "",{ "Ref" : "ADBindUserPassword" },"" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.name" --value "My LDAP servers" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.server.0.host" --value "",{ "Ref" : "ADServerOne" },"" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.server.1.host" --value "",{ "Ref" : "ADServerTwo" },"" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.ssl_verify" --value "never" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.timeout" --value "4" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.uname_attr" --value "sAMAccountName" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.use_ssl" --value "never" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.ldap.0.users_base_dn" --value "OU=Users, OU=basic, DC=basic, DC=local" ConfigPut
+bash sacli --user __DEFAULT__ --key "auth.module.type" --value "ldap" ConfigPut
+bash sacli --user __DEFAULT__ --key "vpn.server.routing.private_network.0" --value "21.1.0.0/16" ConfigPut
+# apply the configs to the server
+bash sacli --user __DEFAULT__ start
+# echo configs
+bash sacli ConfigQuery
+</code>
+==== Deploying via Cloudformation ====
+Use that template.
+The given AMI is suitable for the region us-east-1, Virginia.
+Depending on the region you will have to adopt the AMI.
+  * https://www.mikeapted.com/aws/2017/04/05/personal-vpn-aws/
+  * https://gist.github.com/skipidar/81e17478d55f014cc45cfc785ef9730b
+==== Configuring Acer Router ====
+{{https://lh3.googleusercontent.com/-N08V2NIa8uE/WxMIgRysspI/AAAAAAAAAKU/CHdbMvVRgf0Fz9J1-zd02y1JVR89xsoggCHMYCw/s0/2018-06-02_23-13-39.png}}
+  * Check the right protocol, here UDP. It must be open among on the server side
+Here we can see, that the router is using the UDP port and protocol, as configured on the server side:
+{{https://lh3.googleusercontent.com/-K33EMTIPEy4/WxMJEicisyI/AAAAAAAAAKc/z_ck0YQIiV43y5fZiGdxLzidfGu59eNGQCHMYCw/s0/2018-06-02_23-16-05.png}}