The following steps are for configuring openvpn to use active directory as authentication server:
- Install openvpn and openvpn-auth-ldap using yum
- Install openvpn-auth-ldap using yum
- Use the following example of server configuration file /etc/openvpn/roadwarrior-ac.conf. Change IP addresses, port and pools for the new system need
port 1195 dev tun mode server tls-server ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem ifconfig 10.9.0.1 10.9.0.2 ifconfig-pool 10.9.0.4 10.9.0.255 push "route 10.9.0.1 255.255.255.255" push "route 10.16.16.0 255.255.255.0" keepalive 10 60 inactive 600 route 10.9.0.0 255.255.255.0 user openvpn group openvpn persist-tun persist-key verb 4 plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" client-cert-not-required
- Use the following example of open-auth-ldap configuration file /etc/openvpn/auth/ldap.conf
<LDAP> # LDAP server URL URL ldap://dc-test-1.test.com:389 # Bind DN (If your LDAP server doesn't support anonymous binds) #BindDN uid=admin,ou=Users,dc=test,dc=com BindDN admin@test.com # Bind Password Password humus # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN #BaseDN "CN=Users,DC=test,DC=com" BaseDN "CN=Users,DC=test,DC=com" # User Search Filter #SearchFilter "(&(uid=%u)(accountStatus=active))" #SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))" SearchFilter "(&(sAMAccountName=%u))" # Require Group Membership RequireGroup true # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users <Group> BaseDN "CN=Users,DC=test,DC=com" SearchFilter "(cn=vpn-users)" MemberAttribute "member" # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization>
- Start openvpn
service openvpn start
- On the client use the following example of configuration file “C:Program FilesOpenVPNconfigvpc.ovpn
float port 1195 dev tun remote 127.43.22.12 ping 10 persist-tun persist-key ca ca.crt auth-user-pass client verb 4
- connect the client using the new configuration file