Configure OpenVPN LDAP Based Authentication

0
827

In this guide, we are going to learn how to configure OpenVPN LDAP Based Authentication. Identification and authentication of users is usually the first step in implementing access control. OpenVPN server supports multiple authentication protocols and thus can be configured to obtain connecting client information from an LDAP server, and to use that information as a basis for authenticating the client in addition to the use of the Client certificates and keys.

Also, with OpenLDAP authentication, the issue of having to generate individual OpenVPN client certificates for every client connecting can be eliminated.

Learn how to install and setup OpenLDAP server on CentOS 8 by following the link below;

Install and Setup OpenLDAP on CentOS 8

Configure OpenVPN LDAP Based Authentication

Install OpenVPN plugin for LDAP authentication

To configure OpenVPN LDAP based authentication, you need to install OpenVPN plugin for LDAP authentication. The plugin is called openvpn-auth-ldap and it implements username/password authentication via LDAP for OpenVPN.

On CentOS 7, you need EPEL repos to install the plugin;

yum install epel-release
yum install openvpn-auth-ldap

On Ubuntu systems;

apt install openvpn-auth-ldap

On CentOS 8, unfortunately, the EPEL repos don’t provide this package as of this writing.

In this demo, we are running an OpenVPN server on CentOS 7 system.

After the installation of the openvpn-auth-ldap package, you should now be having the required modules under the /usr/lib64/openvpn directory.

The package also installs OpenVPN LDAP authentication configuration file, /etc/openvpn/auth/ldap.conf.

Configure OpenVPN server for LDAP Based Authentication

Once you have the necessary plugins in place, the next thing would be to configure OpenVPN server for LDAP based authentication.

Open the OpenVPN LDAP based authentication configuration file and define your OpenLDAP server specifics;

Create a backup of the configuration.

cp /etc/openvpn/auth/ldap.{conf,.old}
vim /etc/openvpn/auth/ldap.conf

Below is our sample configuration (with no commented lines) as per our OpenLDAP server setup. Make your appropriate configurations;

<LDAP>
	URL		ldap://ldapmaster.kifarunix-demo.com
	BindDN		cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
	Password	[email protected]
	Timeout		15
	TLSEnable	no
	FollowReferrals no
</LDAP>
<Authorization>
	BaseDN		"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
	SearchFilter	"(uid=%u)"
	RequireGroup	false
</Authorization>

In regards to group authentication, if you want to enforce a more fine grained OpenVPN access control such that only specific users authenticating via OpenLDAP can connect to OpenVPN server, you can utilize OpenLDAP group membership.

For example, in our OpenLDAP server, we have a VPN only group which contains only users that are allowed to connect to OpenVPN server;

ldapsearch -Y ExTERNAL -H ldapi:/// -b ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q "(cn=vpnonly)"
dn: cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: vpnonly
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

See how to create OpenLDAP group membership by following the guide below;

How to Create OpenLDAP Member Groups

Therefore, to enable group membership authentication, set the value of the RequireGroup option to true and edit the group section such that you configuration may look like;

<LDAP>
	URL		ldap://ldapmaster.kifarunix-demo.com
	BindDN		cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
	Password	hacker
	Timeout		15
	TLSEnable	no
	FollowReferrals no
</LDAP>
<Authorization>
	BaseDN		"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
	SearchFilter	"(uid=%u)"
	RequireGroup	true
	<Group>
		BaseDN		"ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"
		SearchFilter	"memberOf=cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"
		MemberAttribute	uniqueMember
	</Group>
</Authorization>

In this case, only user koromicha and johndoe can connect to OpenVPN server.

Save and exit the configuration after making your appropriate changes.

Next, configure OpenVPN server to use OpenLDAP for authentication by adding the line below to the OpenVPN server configuration file.

vim /etc/openvpn/server/server.conf
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

Save and exit the configuration file.

Enable Client Username/Password Authentication

Next, edit the client configuration file to include the auth-user-pass directive to enable username/password authentication method.

For example, this is a our sample Client configuration file based on our OpenVPN server setup.

client
tls-client
pull
dev tun
proto udp
remote 192.168.2.132 1194
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-key
persist-tun
key-direction 1
remote-cert-tls server
comp-lzo
verb 3
auth-nocache
dhcp-option DNS 8.8.8.8
dhcp-option DNS 10.8.0.1
auth SHA512
auth-user-pass
tls-auth /home/johndoe/ta-key
ca /home/johndoe/ca.crt
cert /home/johndoe/johndoe.crt
key /home/johndoe/johndoe.key

Restart OpenVPN Server service;

systemctl restart [email protected]

Verify OpenVPN Client LDAP Authentication

Our configuration is now done. To verify that all is well, initiate OpenVPN connection on the client;

sudo openvpn johndoe.ovpn
Sat Apr 18 08:50:11 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Sat Apr 18 08:50:11 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08
Enter Auth Username: johndoe
Enter Auth Password: *************
...
Sat Apr 18 08:50:26 2020 /sbin/ip addr add dev tun0 10.8.0.60/24 broadcast 10.8.0.255
Sat Apr 18 08:50:26 2020 /sbin/ip route add 192.168.2.132/32 via 10.0.2.2
Sat Apr 18 08:50:26 2020 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Sat Apr 18 08:50:26 2020 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Sat Apr 18 08:50:26 2020 Initialization Sequence Completed

If the authentication fails;

...
Sat Apr 18 08:53:36 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Apr 18 08:53:36 2020 AUTH: Received control message: AUTH_FAILED
Sat Apr 18 08:53:36 2020 SIGTERM[soft,auth-failure] received, process exiting

On the OpenVPN Server, you will see such a line on the logs;

tail -f /var/log/openvpn/openvpn.log
...
192.168.56.1:53489 [johndoe] Peer Connection Initiated with [AF_INET]192.168.56.1:53489
johndoe/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/johndoe
johndoe/192.168.56.1:53489 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
johndoe/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_565148162b7cd88618c8c5e6efba7007.tmp
johndoe/192.168.56.1:53489 MULTI: Learn: 10.8.0.60 -> johndoe/192.168.56.1:53489
johndoe/192.168.56.1:53489 MULTI: primary virtual IP for johndoe/192.168.56.1:53489: 10.8.0.60
johndoe/192.168.56.1:53489 PUSH: Received control message: 'PUSH_REQUEST'

Try to connect to OpenVPN server as janedoe, who is not in the allowed vpnonly group. This will automatically fail.

sudo openvpn janedoe.ovpn
Sat Apr 18 10:00:05 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Sat Apr 18 10:00:05 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08
Enter Auth Username: janedoe
Enter Auth Password: **************
...
Sat Apr 18 10:00:19 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Apr 18 10:00:19 2020 AUTH: Received control message: AUTH_FAILED
Sat Apr 18 10:00:19 2020 SIGTERM[soft,auth-failure] received, process exiting

Great. You have successfully configured your OpenVPN clients to authenticate via OpenLDAP server.

That marks the end of our guide on how to configure OpenVPN LDAP Based Authentication. Enjoy.

Related Tutorials

Assign Static IP Addresses for OpenVPN Clients

Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04

Setup OpenVPN Server on CentOS 8

Setup IPSEC VPN using StrongSwan on Debian 10

LEAVE A REPLY

Please enter your comment!
Please enter your name here