OpenVpn

OpenVpn

Joining OpenVpn to a Microsoft Active Directory

To domain join the OpenVpn server do the following:

Configure the Server to use LDAP. Requiring the Following Active Directory Structure.

basic.local
- basic
  - Users → Admin
  - Groups → OpenVpnUsers

Bind DN:	CN=Admin, OU=Users, OU=basic, DC=basic, DC=local
Password:	<YOURPASSWOD>
Base DN for User Entities:	OU=Users, OU=basic, DC=basic, DC=local
Username Attribute:	sAMAccountName

Login to the CLient using, without having the domain as prefix: ACHTUNG: having special characters like “.” makes OpenVPN escape them, so that they are not accepted. Check sAMAccountName=first\\2euser below

2018-02-12 16:17:42+0000 [-] LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=first.user,OU=Users,OU=basic,DC=basic,DC=local' via search (u'OU=Users, OU=basic,  DC=basic, DC=local', 2, '(sAMAccountName=first\\2euser)')') (user='first.user')

Login:	Admin
Password:	<YOUTPASSWORD

Additional LDAP Requirement: (Advanced)

memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local

Debug

To Debug check the logs: cat /var/log/openvpnas.log

Means the LDAP bind user credentials ae wrong. Here basic.local\Admin:

2018-02-12 16:15:53+0000 [-] LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='admin_bind to [basic.local\Admin]') (user='first.user')

Means the user credentials are wrong. Here s000001

LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=s000001,OU=Users,OU=basic,DC=basic,DC=local' via search (u'OU=Users, OU=basic,  DC=basic, DC=local', 2, '(sAMAccountName=s000001)')') (user='s000001')

Configs

The key “vpn.server.routing.private_network.0” is important to define which CIDR block will be routed through the VPN server.

$ cat /usr/local/openvpn_as/etc/config.json
{
  "Default": {
 "admin_ui.https.ip_address": "eth0",
  "admin_ui.https.port": "943",
  "aui.eula_version": "2",
  "auth.ldap.0.add_req": "memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local",
  "auth.ldap.0.bind_dn": "CN=s000001, OU=Users, OU=basic, DC=basic, DC=local",
  "auth.ldap.0.bind_pw": "komumisa76!",
  "auth.ldap.0.name": "My LDAP servers",
  "auth.ldap.0.server.0.host": "21.1.3.174",
  "auth.ldap.0.server.1.host": "21.1.2.35",
  "auth.ldap.0.ssl_verify": "never",
  "auth.ldap.0.timeout": "4",
  "auth.ldap.0.uname_attr": "sAMAccountName",
  "auth.ldap.0.use_ssl": "never",
  "auth.ldap.0.users_base_dn": "OU=Users, OU=basic, DC=basic, DC=local",
  "auth.module.type": "ldap",
  "auth.pam.0.service": "openvpnas",
  "auth.radius.0.acct_enable": "false",
  "auth.radius.0.name": "My Radius servers",
  "cs.cws_proto_v2": "true",
  "cs.https.ip_address": "eth0",
  "cs.https.port": "943",
  "cs.prof_sign_web": "true",
  "host.name": "34.245.33.33",
  "sa.initial_run_groups.0": "web_group",
  "sa.initial_run_groups.1": "openvpn_group",
  "vpn.client.basic": "false",
  "vpn.client.config_text": "cipher AES-128-CBC",
  "vpn.client.routing.inter_client": "false",
  "vpn.client.routing.reroute_dns": "false",
  "vpn.client.routing.reroute_gw": "false",
  "vpn.daemon.0.client.netmask_bits": "20",
  "vpn.daemon.0.client.network": "172.27.224.0",
  "vpn.daemon.0.listen.ip_address": "eth0",
  "vpn.daemon.0.listen.port": "443",
  "vpn.daemon.0.listen.protocol": "tcp",
  "vpn.daemon.0.server.ip_address": "eth0",
  "vpn.server.config_text": "cipher AES-128-CBC",
  "vpn.server.daemon.enable": "true",
  "vpn.server.daemon.tcp.n_daemons": "1",
  "vpn.server.daemon.tcp.port": "443",
  "vpn.server.daemon.udp.n_daemons": "1",
  "vpn.server.daemon.udp.port": "1194",
  "vpn.server.group_pool.0": "172.27.240.0/20",
  "vpn.server.nat.masquerade": "true",
  "vpn.server.port_share.enable": "true",
  "vpn.server.port_share.ip_address": "1.2.3.4",
  "vpn.server.port_share.port": "1234",
  "vpn.server.port_share.service": "admin+client",
  "vpn.server.routing.private_access": "nat",
  "vpn.tls_refresh.do_reauth": "true",
  "vpn.tls_refresh.interval": "360",
  "vpn.server.routing.private_network.0": "21.1.0.0/16"
  },
  "_INTERNAL": {
    "run_api.active_profile": "Default",
    "webui.edit_profile": "Default"
  }
}

Alternative via API

/usr/local/openvpn_as/scripts/bash sacli ConfigQuery

API

Configure via Command line:

cd /usr/local/openvpn_as/scripts/  
bash sacli --user __DEFAULT__ --key "vpn.daemon.0.server.ip_address" --value "all" ConfigPut  
bash sacli --user __DEFAULT__ --key "vpn.daemon.0.listen.ip_address" --value "all" ConfigPut 
bash sacli --user __DEFAULT__ --key "vpn.server.daemon.udp.port" --value "1194" ConfigPut 
bash sacli --user __DEFAULT__ --key "vpn.server.daemon.tcp.port" --value "443" ConfigPut 
  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.add_req" --value "memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.bind_dn" --value "CN=",{ "Ref" : "ADBindUser" },", OU=Users, OU=basic, DC=basic, DC=local" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.bind_pw" --value "",{ "Ref" : "ADBindUserPassword" },"" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.name" --value "My LDAP servers" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.server.0.host" --value "",{ "Ref" : "ADServerOne" },"" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.server.1.host" --value "",{ "Ref" : "ADServerTwo" },"" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.ssl_verify" --value "never" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.timeout" --value "4" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.uname_attr" --value "sAMAccountName" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.use_ssl" --value "never" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.ldap.0.users_base_dn" --value "OU=Users, OU=basic, DC=basic, DC=local" ConfigPut  
bash sacli --user __DEFAULT__ --key "auth.module.type" --value "ldap" ConfigPut  
bash sacli --user __DEFAULT__ --key "vpn.server.routing.private_network.0" --value "21.1.0.0/16" ConfigPut

# apply the configs to the server
bash sacli --user __DEFAULT__ start

# echo configs
bash sacli ConfigQuery

Deploying via Cloudformation

Use that template. The given AMI is suitable for the region us-east-1, Virginia. Depending on the region you will have to adopt the AMI.

Configuring Acer Router

Check the right protocol, here UDP. It must be open among on the server side

Here we can see, that the router is using the UDP port and protocol, as configured on the server side:

Table of Contents