openvpn
This is an old revision of the document!
Table of Contents
OpenVpn
Joining OpenVpn to a Microsoft Active Directory
To domain join the OpenVpn server do the following:
Configure the Server to use LDAP. Requiring the Following Active Directory Structure.
- basic.local
- basic
- Users → Admin
- Groups → OpenVpnUsers
| Bind DN: | CN=Admin, OU=Users, OU=basic, DC=basic, DC=local |
| Password: | <YOURPASSWOD> |
| Base DN for User Entities: | OU=Users, OU=basic, DC=basic, DC=local |
| Username Attribute: | sAMAccountName |
Login to the CLient using, without having the domain as prefix: ACHTUNG: having special characters like “.” makes OpenVPN escape them, so that they are not accepted. Check sAMAccountName=first\\2euser below
2018-02-12 16:17:42+0000 [-] LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=first.user,OU=Users,OU=basic,DC=basic,DC=local' via search (u'OU=Users, OU=basic, DC=basic, DC=local', 2, '(sAMAccountName=first\\2euser)')') (user='first.user')
| Login: | Admin |
| Password: | <YOUTPASSWORD |
| Additional LDAP Requirement: (Advanced) | memberOf=CN=OpenVpnUsers, OU=Groups, OU=basic, DC=basic, DC=local |
Debug
To Debug check the logs: cat /var/log/openvpnas.log
Means the LDAP bind user credentials ae wrong. Here basic.local\Admin:
2018-02-12 16:15:53+0000 [-] LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='admin_bind to [basic.local\Admin]') (user='first.user')
Means the user credentials are wrong. Here s000001
LDAP invalid credentials on ldap://21.1.2.39/: {'info': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} (facility='user_bind on u'CN=s000001,OU=Users,OU=basic,DC=basic,DC=local' via search (u'OU=Users, OU=basic, DC=basic, DC=local', 2, '(sAMAccountName=s000001)')') (user='s000001')
Configs
$ cat /usr/local/openvpn_as/etc/config.json
{
"Default": {
"admin_ui.https.ip_address": "all",
"admin_ui.https.port": "943",
"auth.ldap.0.name": "My LDAP servers",
"auth.ldap.0.ssl_verify": "never",
"auth.ldap.0.timeout": "4",
"auth.ldap.0.use_ssl": "never",
"auth.module.type": "local",
"auth.pam.0.service": "openvpnas",
"auth.radius.0.acct_enable": "false",
"auth.radius.0.name": "My Radius servers",
"cs.cws_proto_v2": "true",
"cs.https.ip_address": "all",
"cs.https.port": "943",
"cs.prof_sign_web": "true",
"host.name": "34.244.71.201",
"sa.initial_run_groups.0": "web_group",
"sa.initial_run_groups.1": "openvpn_group",
"vpn.client.basic": "false",
"vpn.client.config_text": "cipher AES-128-CBC",
"vpn.client.routing.inter_client": "false",
"vpn.client.routing.reroute_dns": "false",
"vpn.client.routing.reroute_gw": "false",
"vpn.daemon.0.client.netmask_bits": "20",
"vpn.daemon.0.client.network": "172.27.224.0",
"vpn.daemon.0.listen.ip_address": "all",
"vpn.daemon.0.listen.port": "443",
"vpn.daemon.0.listen.protocol": "tcp",
"vpn.daemon.0.server.ip_address": "all",
"vpn.server.config_text": "cipher AES-128-CBC",
"vpn.server.daemon.enable": "true",
"vpn.server.daemon.tcp.n_daemons": 1,
"vpn.server.daemon.tcp.port": "443",
"vpn.server.daemon.udp.n_daemons": 1,
"vpn.server.daemon.udp.port": "1194",
"vpn.server.group_pool.0": "172.27.240.0/20",
"vpn.server.nat.masquerade": "true",
"vpn.server.port_share.enable": "true",
"vpn.server.port_share.ip_address": "1.2.3.4",
"vpn.server.port_share.port": "1234",
"vpn.server.port_share.service": "admin+client",
"vpn.server.routing.private_access": "nat",
"vpn.tls_refresh.do_reauth": "true",
"vpn.tls_refresh.interval": "360"
},
"_INTERNAL": {
"run_api.active_profile": "Default",
"webui.edit_profile": "Default"
}
}
openvpn.1518534063.txt.gz · Last modified: (external edit)