OpenVPN
This document assumes OpenVPN Server is already installed and configured (minimum two) If not Follow the given link - https://help.ubuntu.com/lts/serverguide/openvpn.html
Step 1: Set Up CA in Windows AD
Follow the given doc - Setting Up a Certification Authority.docx
Step 2: Create new Certificate template for VPN connection
Follow the given doc - Creating a new certificate template for User certificates.docx
Step 3: Configure User certificate Auto-Enrollment
Follow the given doc - Auto-Enrollment.docx
Step 4: Export CA certificate
Follow the given doc - Export CA Certificate.docx
Step 5: Export User certificate
Follow the given doc - Export AD cert _ key.docx
Step 6: Modify OpenVpn to use AD CA certificates.
Copy windows AD ca certificate which we exported in step 5 in /etc/openvpn directory. Export administrator or any other user certificate and key, by following step 6 and then copy the same in /etc/openvpn directory. Edit /etc/openvpn/server.conf file to change following -
ca RootCA.crt #Windows AD CA certificate
cert administrator.crt #Windows AD administrator certificate
key administrator.key #Windows AD administrator key
Step 7: User authentication and certification validation.
Username and Password authentication
/etc/openvpn/server.conf
username-as-common-name
script-security 3
auth-user-pass-verify /etc/openvpn/scripts/auth.sh via-env
Certificate verification (Script to ensure users using only his/her creds and cert to access openvpn and user creds validation)
/etc/openvpn/scripts/auth.sh
#!/bin/bash
dn="cn=users,dc=vpn,dc=local" #Change dc depends upon your AD domain
ad_host="10.136.60.58" #Windows AD IP
ad_domain="vpn.local" #Windows AD domain
if [ "${username,,}" != "${common_name,,}" ]; then
echo "$(date) | $username : DENIED username [$username] and cert [$common_name] does not matched" >> /etc/openvpn/access.log
exit 1
fi
user=`ldapsearch -x -h $ad_host -b $dn -D "$username@$ad_domain" -w $password -s sub \
-b $dn "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" "dn" | grep 'numEntries:'`
if [ -z "$user" ]
then
echo "$(date) | $username : Invalid password " >> /etc/openvpn/access.log
exit 1
fi
echo "$(date) | $username : connected" >> /etc/openvpn/access.log
exit 0
Step 8: Setup OpenVpn server in HA (Active-Passive mode)
Assuming you have two OpenVpn servers already configured. Follow the given doc - HA Virtual IP (keepalived).docx
Change in /etc/openvpn/server.conf:-
local <your Virtual HA ip> #Change it with your HA Virtual IP
Restart OpenVpn Server:-
$ service openvpn@server restart
Step 9: Change client ovpn file
remote <your Virtual HA ip> 1194
Add auth-user-pass
#Use AD certificates
ca RootCA.crt #Windows AD CA certificate
cert administrator.crt #Windows AD User certificate
key administrator.key #Windows AD User key
Comment ns-cert-type server
#ns-cert-type server
Step 10: Ensure User will get same IP from both OpenVpn servers
Follow the given doc - How To Set Up and Configure NFS on Ubuntu 16.04.docx
Step 11: Restart the OpenVpn server
$ service openvpn@server restart