====== OpenVpn ======

==== Joining OpenVpn to a Microsoft Active Directory ====

To domain join the OpenVpn server do the following:


Configure the Server to use LDAP. Requiring the Following Active Directory Structure.

  * basic.local
    * basic
      * Users -> Admin
      * Groups -> OpenVpnUsers




|Bind DN: |CN=Admin, OU=Users, OU=basic,  DC=basic, DC=local|
|Password:|<YOURPASSWOD>|
|Base DN for User Entities:|OU=Users, OU=basic,  DC=basic, DC=local|
|Username Attribute:|sAMAccountName|

Login to the CLient using, without having the domain as prefix:
ACHTUNG: having special characters like "." makes OpenVPN escape them, so that they are not accepted. Check **sAMAccountName=first\\2euser** below
<code>
2018-02-12 16:17:42+0000 [-] LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=first.user,OU=Users,OU=basic,DC=basic,DC=local' via search (u'OU=Users, OU=basic,  DC=basic, DC=local', 2, '(sAMAccountName=first\\2euser)')') (user='first.user')
</code>

|Login:|Admin|
|Password:|<YOUTPASSWORD|

|Additional LDAP Requirement: (Advanced)|memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local|



== Debug ==
To Debug check the logs: **cat /var/log/openvpnas.log**


Means the LDAP bind user credentials ae wrong. Here basic.local\Admin:
<code>
2018-02-12 16:15:53+0000 [-] LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='admin_bind to [basic.local\Admin]') (user='first.user')
</code>

Means the user credentials are wrong. Here s000001
<code>
LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=s000001,OU=Users,OU=basic,DC=basic,DC=local' via search (u'OU=Users, OU=basic,  DC=basic, DC=local', 2, '(sAMAccountName=s000001)')') (user='s000001')
</code>


==== Configs ====
The key "vpn.server.routing.private_network.0" is important to define which CIDR block will be routed through the VPN server.

<code>
$ cat /usr/local/openvpn_as/etc/config.json
{
  "Default": {
 "admin_ui.https.ip_address": "eth0",
  "admin_ui.https.port": "943",
  "aui.eula_version": "2",
  "auth.ldap.0.add_req": "memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local",
  "auth.ldap.0.bind_dn": "CN=s000001, OU=Users, OU=basic, DC=basic, DC=local",
  "auth.ldap.0.bind_pw": "komumisa76!",
  "auth.ldap.0.name": "My LDAP servers",
  "auth.ldap.0.server.0.host": "21.1.3.174",
  "auth.ldap.0.server.1.host": "21.1.2.35",
  "auth.ldap.0.ssl_verify": "never",
  "auth.ldap.0.timeout": "4",
  "auth.ldap.0.uname_attr": "sAMAccountName",
  "auth.ldap.0.use_ssl": "never",
  "auth.ldap.0.users_base_dn": "OU=Users, OU=basic, DC=basic, DC=local",
  "auth.module.type": "ldap",
  "auth.pam.0.service": "openvpnas",
  "auth.radius.0.acct_enable": "false",
  "auth.radius.0.name": "My Radius servers",
  "cs.cws_proto_v2": "true",
  "cs.https.ip_address": "eth0",
  "cs.https.port": "943",
  "cs.prof_sign_web": "true",
  "host.name": "34.245.33.33",
  "sa.initial_run_groups.0": "web_group",
  "sa.initial_run_groups.1": "openvpn_group",
  "vpn.client.basic": "false",
  "vpn.client.config_text": "cipher AES-128-CBC",
  "vpn.client.routing.inter_client": "false",
  "vpn.client.routing.reroute_dns": "false",
  "vpn.client.routing.reroute_gw": "false",
  "vpn.daemon.0.client.netmask_bits": "20",
  "vpn.daemon.0.client.network": "172.27.224.0",
  "vpn.daemon.0.listen.ip_address": "eth0",
  "vpn.daemon.0.listen.port": "443",
  "vpn.daemon.0.listen.protocol": "tcp",
  "vpn.daemon.0.server.ip_address": "eth0",
  "vpn.server.config_text": "cipher AES-128-CBC",
  "vpn.server.daemon.enable": "true",
  "vpn.server.daemon.tcp.n_daemons": "1",
  "vpn.server.daemon.tcp.port": "443",
  "vpn.server.daemon.udp.n_daemons": "1",
  "vpn.server.daemon.udp.port": "1194",
  "vpn.server.group_pool.0": "172.27.240.0/20",
  "vpn.server.nat.masquerade": "true",
  "vpn.server.port_share.enable": "true",
  "vpn.server.port_share.ip_address": "1.2.3.4",
  "vpn.server.port_share.port": "1234",
  "vpn.server.port_share.service": "admin+client",
  "vpn.server.routing.private_access": "nat",
  "vpn.tls_refresh.do_reauth": "true",
  "vpn.tls_refresh.interval": "360",
  "vpn.server.routing.private_network.0": "21.1.0.0/16"
  },
  "_INTERNAL": {
    "run_api.active_profile": "Default",
    "webui.edit_profile": "Default"
  }
}

</code>

Alternative via API
<code>
/usr/local/openvpn_as/scripts/bash sacli ConfigQuery
</code>


==== API =====
Configure via Command line:

<code>
cd /usr/local/openvpn_as/scripts/  
bash sacli --user __DEFAULT__ --key "vpn.daemon.0.server.ip_address" --value "all" ConfigPut  
bash sacli --user __DEFAULT__ --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut 
bash sacli --user __DEFAULT__ --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut 
bash sacli --user __DEFAULT__ --key "vpn.server.daemon.tcp.port" --value "443" ConfigPut 
  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.add_req" --value "memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.bind_dn" --value "CN=",{ "Ref" : "ADBindUser" },", OU=Users, OU=basic, DC=basic, DC=local" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.bind_pw" --value "",{ "Ref" : "ADBindUserPassword" },"" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.name" --value "My LDAP servers" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.server.0.host" --value "",{ "Ref" : "ADServerOne" },"" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.server.1.host" --value "",{ "Ref" : "ADServerTwo" },"" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.ssl_verify" --value "never" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.timeout" --value "4" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.uname_attr" --value "sAMAccountName" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.use_ssl" --value "never" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.users_base_dn" --value "OU=Users, OU=basic, DC=basic, DC=local" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.module.type" --value "ldap" ConfigPut  
bash sacli --user __DEFAULT__ --key "vpn.server.routing.private_network.0" --value "21.1.0.0/16" ConfigPut

# apply the configs to the server
bash sacli --user __DEFAULT__ start

# echo configs
bash sacli ConfigQuery  
</code>


==== Deploying via Cloudformation ====
Use that template. 
The given AMI is suitable for the region us-east-1, Virginia.
Depending on the region you will have to adopt the AMI.

  * https://www.mikeapted.com/aws/2017/04/05/personal-vpn-aws/
  * https://gist.github.com/skipidar/81e17478d55f014cc45cfc785ef9730b


==== Configuring Acer Router ====
{{https://lh3.googleusercontent.com/-N08V2NIa8uE/WxMIgRysspI/AAAAAAAAAKU/CHdbMvVRgf0Fz9J1-zd02y1JVR89xsoggCHMYCw/s0/2018-06-02_23-13-39.png}}

  * Check the right protocol, here UDP. It must be open among on the server side

Here we can see, that the router is using the UDP port and protocol, as configured on the server side:

{{https://lh3.googleusercontent.com/-K33EMTIPEy4/WxMJEicisyI/AAAAAAAAAKc/z_ck0YQIiV43y5fZiGdxLzidfGu59eNGQCHMYCw/s0/2018-06-02_23-16-05.png}}