Configure OpenVPN authentication using Active Directory


AllCloud Blog:
Cloud Insights and Innovation

The following steps are for configuring openvpn to use active directory as authentication server:

  • Install openvpn and openvpn-auth-ldap using yum
  • Install openvpn-auth-ldap using yum
  • Use the following example of server configuration file /etc/openvpn/roadwarrior-ac.conf. Change IP addresses, port and pools for the new system need
port 1195
dev tun
mode server
tls-server
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
ifconfig 10.9.0.1 10.9.0.2
ifconfig-pool 10.9.0.4 10.9.0.255
push "route 10.9.0.1 255.255.255.255"
push "route 10.16.16.0 255.255.255.0"
keepalive 10 60
inactive 600
route 10.9.0.0 255.255.255.0
user openvpn
group openvpn
persist-tun
persist-key
verb 4
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
  • Use the following example of open-auth-ldap configuration file /etc/openvpn/auth/ldap.conf
<LDAP>
# LDAP server URL
URL ldap://dc-test-1.test.com:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
#BindDN uid=admin,ou=Users,dc=test,dc=com
BindDN admin@test.com

# Bind Password
Password humus

# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable no

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
#BaseDN "CN=Users,DC=test,DC=com"
BaseDN "CN=Users,DC=test,DC=com"

# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
#SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"
SearchFilter "(&(sAMAccountName=%u))"

# Require Group Membership
RequireGroup true

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "CN=Users,DC=test,DC=com"
SearchFilter "(cn=vpn-users)"
MemberAttribute "member"
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
  • Start openvpn
service openvpn start
  • On the client use the following example of configuration file “C:Program FilesOpenVPNconfigvpc.ovpn
float
port 1195
dev tun
remote 127.43.22.12
ping 10
persist-tun
persist-key
ca ca.crt
auth-user-pass
client
verb 4
  • connect the client using the new configuration file

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir