Configure OpenVPN LDAP Based Authentication

|
Last Updated:
|
|

In this guide, we are going to learn how to configure OpenVPN LDAP Based Authentication. Identification and authentication of users is usually the first step in implementing access control. OpenVPN server supports multiple authentication protocols and thus can be configured to obtain connecting client information from an LDAP server, and to use that information as a basis for authenticating the client in addition to the use of the Client certificates and keys.

Also, with OpenLDAP authentication, the issue of having to generate individual OpenVPN client certificates for every client connecting can be eliminated.

Learn how to install and setup OpenLDAP server on CentOS 8 by following the link below;

Install and Setup OpenLDAP on CentOS 8

Configuring OpenVPN Authentication via LDAP

Install OpenVPN plugin for LDAP authentication

To configure OpenVPN authentication via LDAP, you need to install OpenVPN plugin for LDAP authentication. The plugin is called openvpn-auth-ldap and it implements username/password authentication via LDAP for OpenVPN.

On CentOS 7, you need EPEL repos to install the plugin;

yum install epel-release
yum install openvpn-auth-ldap

On Ubuntu systems;

apt install openvpn-auth-ldap

On CentOS 8, unfortunately, the EPEL repos don’t provide this package as of this writing.

In this demo, we are running an OpenVPN server on CentOS 7 system.

After the installation of the openvpn-auth-ldap package, you should now be having the required modules under the /usr/lib64/openvpn directory.

The modules can also be found under, /usr/lib/openvpn, directory.

The package also installs OpenVPN LDAP authentication configuration file, /etc/openvpn/auth/ldap.conf.

On Ubuntu systems, you will find the sample OpenVPN LDAP auth configuration under;

/usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf

Configure OpenVPN server for LDAP Based Authentication

Once you have the necessary plugins in place, the next thing would be to configure OpenVPN server for LDAP based authentication.

Open the OpenVPN LDAP based authentication configuration file and define your OpenLDAP server specifics;

Create a backup of the configuration.

cp /etc/openvpn/auth/ldap.{conf,.old}

If the directory/file doesn’t exist, simply create one;

mkdir /etc/openvpn/auth

Once that is done, copy the sample configuration file;

cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth/ldap.conf

Next, open the configuration file for editing.

vim /etc/openvpn/auth/ldap.conf

Below is our sample configuration (with no commented lines) as per our OpenLDAP server setup. Make your appropriate configurations;

<LDAP>
	URL		ldap://ldapmaster.kifarunix-demo.com
	BindDN		cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
	Password	P@ssW0rd
	Timeout		15
	TLSEnable	no
	FollowReferrals no
</LDAP>
<Authorization>
	BaseDN		"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
	SearchFilter	"(uid=%u)"
	RequireGroup	false
</Authorization>

In regards to group authentication, if you want to enforce a more fine grained OpenVPN access control such that only specific users authenticating via OpenLDAP can connect to OpenVPN server, you can utilize OpenLDAP group membership.

For example, in our OpenLDAP server, we have a VPN only group which contains only users that are allowed to connect to OpenVPN server;

ldapsearch -Y ExTERNAL -H ldapi:/// -b ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q "(cn=vpnonly)"
dn: cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: vpnonly
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

See how to create OpenLDAP group membership by following the guide below;

How to Create OpenLDAP Member Groups

Therefore, to enable group membership authentication, set the value of the RequireGroup option to true and edit the group section such that you configuration may look like;

<LDAP>
	URL		ldap://ldapmaster.kifarunix-demo.com
	BindDN		cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
	Password	P@ssW0rd
	Timeout		15
	TLSEnable	no
	FollowReferrals no
</LDAP>
<Authorization>
	BaseDN		"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
	SearchFilter	"(uid=%u)"
	RequireGroup	true
	<Group>
		BaseDN		"ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"
		SearchFilter	"memberOf=cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"
		MemberAttribute	uniqueMember
	</Group>
</Authorization>

In this case, only user koromicha and johndoe can connect to OpenVPN server.

Save and exit the configuration after making your appropriate changes.

Next, configure OpenVPN server to use OpenLDAP for authentication by adding the line below to the OpenVPN server configuration file.

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

You can simply add this line to the OpenVPN server configuration file as follows;

echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server/server.conf

Be sure to set the correct path to the module. For example, on Ubuntu 18.04/20.04, the path is /usr/lib/openvpn/openvpn-auth-ldap.so.

Hence, the line would look like;

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

Enable Client Username/Password Authentication

Next, edit the client configuration file to include the auth-user-pass directive to enable username/password authentication method.

For example, this is a our sample Client configuration file based on our OpenVPN server setup.

client
tls-client
pull
dev tun
proto udp
remote 192.168.2.132 1194
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-key
persist-tun
key-direction 1
remote-cert-tls server
comp-lzo
verb 3
auth-nocache
dhcp-option DNS 8.8.8.8
dhcp-option DNS 10.8.0.1
auth SHA512
auth-user-pass
tls-auth /home/johndoe/ta-key
ca /home/johndoe/ca.crt
cert /home/johndoe/johndoe.crt
key /home/johndoe/johndoe.key

Restart OpenVPN Server service;

systemctl restart openvpn-server@server

Verify OpenVPN Client LDAP Authentication

Our configuration is now done. To verify that all is well, initiate OpenVPN connection on the client;

sudo openvpn johndoe.ovpn
Sat Apr 18 08:50:11 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Sat Apr 18 08:50:11 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08
Enter Auth Username: johndoe
Enter Auth Password: *************
...
Sat Apr 18 08:50:26 2020 /sbin/ip addr add dev tun0 10.8.0.60/24 broadcast 10.8.0.255
Sat Apr 18 08:50:26 2020 /sbin/ip route add 192.168.2.132/32 via 10.0.2.2
Sat Apr 18 08:50:26 2020 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Sat Apr 18 08:50:26 2020 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Sat Apr 18 08:50:26 2020 Initialization Sequence Completed

If the authentication fails;

...
Sat Apr 18 08:53:36 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Apr 18 08:53:36 2020 AUTH: Received control message: AUTH_FAILED
Sat Apr 18 08:53:36 2020 SIGTERM[soft,auth-failure] received, process exiting

On the OpenVPN Server, you will see such a line on the logs;

tail -f /var/log/openvpn/openvpn.log
...
192.168.56.1:53489 [johndoe] Peer Connection Initiated with [AF_INET]192.168.56.1:53489
johndoe/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/johndoe
johndoe/192.168.56.1:53489 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
johndoe/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_565148162b7cd88618c8c5e6efba7007.tmp
johndoe/192.168.56.1:53489 MULTI: Learn: 10.8.0.60 -> johndoe/192.168.56.1:53489
johndoe/192.168.56.1:53489 MULTI: primary virtual IP for johndoe/192.168.56.1:53489: 10.8.0.60
johndoe/192.168.56.1:53489 PUSH: Received control message: 'PUSH_REQUEST'

Try to connect to OpenVPN server as janedoe, who is not in the allowed vpnonly group. This will automatically fail.

sudo openvpn janedoe.ovpn
Sat Apr 18 10:00:05 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Sat Apr 18 10:00:05 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08
Enter Auth Username: janedoe
Enter Auth Password: **************
...
Sat Apr 18 10:00:19 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Apr 18 10:00:19 2020 AUTH: Received control message: AUTH_FAILED
Sat Apr 18 10:00:19 2020 SIGTERM[soft,auth-failure] received, process exiting

Great. You have successfully configured your OpenVPN clients to authenticate via OpenLDAP server.

Related Tutorials

Assign Static IP Addresses for OpenVPN Clients

Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04

Setup OpenVPN Server on CentOS 8

Setup IPSEC VPN using StrongSwan on Debian 10

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

2 thoughts on “Configure OpenVPN LDAP Based Authentication”

  1. Hi,

    Thank you very much for this topic, a great help for me to set a new VPN with ldap authentication. Just a few remarks.
    The openvpn-auth-ldap package is not yet available for centOS8, but you can install the one for for the Fedora 28 with its dependances : gnustep-base-libs libobjc-8.3.1-2. It works fine.

    I had a problem with the routage. I did not use the : push “redirect-gateway def1 bypass-dhcp” in my server.conf because I did not want all the traffic of the clients to go through the vpn. I push the route with : “push route IP.0/24 255.255.255.0”, mais the client could not connect to the network I had pushed, the with the other networks, he could connect. But if I was pushing the “redirect-gateway def1 bypass-dhcp”, it was working. I understood that I had to exclude the IP of my VPN server who was in the subnet I wanted to push.
    This was working with : push “route serverIP 255.255.255.255 net_gateway”.
    This said that my VPN server go through the local gateway of the client, not in the tunnel.

    Reply

Leave a Comment