diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.log | 293 | ||||
-rw-r--r-- | docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst | 265 | ||||
-rw-r--r-- | docs/configexamples/autotest/OpenVPN_with_LDAP/_include/client.conf | 10 | ||||
-rw-r--r-- | docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ldap-auth.config | 13 | ||||
-rw-r--r-- | docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ovpn-server.conf | 15 | ||||
-rw-r--r-- | docs/configexamples/autotest/OpenVPN_with_LDAP/_include/topology.png | bin | 0 -> 40891 bytes | |||
-rw-r--r-- | docs/configexamples/index.rst | 2 | ||||
-rw-r--r-- | docs/configexamples/openvpn-ldap.rst | 94 |
8 files changed, 597 insertions, 95 deletions
diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.log b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.log new file mode 100644 index 00000000..b4eb556b --- /dev/null +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.log @@ -0,0 +1,293 @@ +2023-05-10 15:49:03,125 p=46395 u=rob n=ansible | PLAY [Automatic VyOS Lab test] **************************************************************************************************************************************************************************************************** +2023-05-10 15:49:03,156 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : Get env file content] ************************************************************************************************************************************************************************************* +2023-05-10 15:49:03,473 p=46395 u=rob n=ansible | ok: [eveng -> localhost] +2023-05-10 15:49:03,473 p=46395 u=rob n=ansible | ok: [ldap-server -> localhost] +2023-05-10 15:49:03,473 p=46395 u=rob n=ansible | ok: [ovpn-server -> localhost] +2023-05-10 15:49:03,474 p=46395 u=rob n=ansible | ok: [vyos-oobm -> localhost] +2023-05-10 15:49:03,474 p=46395 u=rob n=ansible | ok: [client -> localhost] +2023-05-10 15:49:03,477 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: Load facts] **************************************************************************************************************************************************************************** +2023-05-10 15:49:03,501 p=46395 u=rob n=ansible | ok: [eveng] +2023-05-10 15:49:03,516 p=46395 u=rob n=ansible | ok: [ldap-server] +2023-05-10 15:49:04,604 p=46395 u=rob n=ansible | network_os is set to vyos +2023-05-10 15:49:04,606 p=46395 u=rob n=ansible | network_os is set to vyos +2023-05-10 15:49:04,607 p=46395 u=rob n=ansible | network_os is set to vyos +2023-05-10 15:49:04,607 p=46395 u=rob n=ansible | [WARNING]: ansible-pylibssh not installed, falling back to paramiko + +2023-05-10 15:49:04,608 p=46395 u=rob n=ansible | [WARNING]: ansible-pylibssh not installed, falling back to paramiko + +2023-05-10 15:49:04,608 p=46395 u=rob n=ansible | [WARNING]: ansible-pylibssh not installed, falling back to paramiko + +2023-05-10 15:49:04,616 p=46395 u=rob n=ansible | ok: [client] +2023-05-10 15:49:04,617 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:49:04,617 p=46395 u=rob n=ansible | ok: [vyos-oobm] +2023-05-10 15:49:04,622 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: fail if node_template_version is empty] ************************************************************************************************************************************************ +2023-05-10 15:49:04,646 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:04,655 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:04,662 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:49:04,665 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:04,669 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:04,672 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : generate openv-server CA] ********************************************************************************************************************************************************************************* +2023-05-10 15:49:04,687 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:04,694 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:04,703 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:04,707 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:05,742 p=46508 u=rob n=ansible | [DEPRECATION WARNING]: PlayContext.verbosity is deprecated, use +ansible.utils.display.Display.verbosity instead. This feature will be removed +in version 2.18. Deprecation warnings can be disabled by setting +deprecation_warnings=False in ansible.cfg. +2023-05-10 15:49:06,402 p=46508 u=rob n=p=46508 u=rob | paramiko [ovpn-server] | Connected (version 2.0, client OpenSSH_9.2p1) +2023-05-10 15:49:06,706 p=46508 u=rob n=p=46508 u=rob | paramiko [ovpn-server] | Authentication (publickey) successful! +2023-05-10 15:49:10,581 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:49:10,588 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : install openv-server CA] ********************************************************************************************************************************************************************************** +2023-05-10 15:49:10,607 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:10,616 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:10,626 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:10,631 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:16,168 p=46395 u=rob n=ansible | [WARNING]: To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device + +2023-05-10 15:49:16,169 p=46395 u=rob n=ansible | changed: [ovpn-server] +2023-05-10 15:49:16,176 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : generate openv-server SRV] ******************************************************************************************************************************************************************************** +2023-05-10 15:49:16,200 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:16,208 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:16,217 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:16,222 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:20,306 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:49:20,313 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : install openv-server SRV] ********************************************************************************************************************************************************************************* +2023-05-10 15:49:20,333 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:20,341 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:20,351 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:20,355 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:26,238 p=46395 u=rob n=ansible | changed: [ovpn-server] +2023-05-10 15:49:26,245 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : generate openv-server Client Cert] ************************************************************************************************************************************************************************ +2023-05-10 15:49:26,272 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:26,279 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:26,283 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:26,288 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:29,275 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:49:29,282 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : install openv-server Client Cert] ************************************************************************************************************************************************************************* +2023-05-10 15:49:29,301 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:29,310 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:29,321 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:29,326 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:49:35,373 p=46395 u=rob n=ansible | changed: [ovpn-server] +2023-05-10 15:49:35,381 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : generate openv-server DH] ********************************************************************************************************************************************************************************* +2023-05-10 15:49:35,406 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:49:35,414 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:49:35,423 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:49:35,428 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:03,970 p=46513 u=rob n=ansible | persistent connection idle timeout triggered, timeout value is 120 secs. +See the timeout setting options in the Network Debug and Troubleshooting Guide. +2023-05-10 15:51:03,970 p=46514 u=rob n=ansible | persistent connection idle timeout triggered, timeout value is 120 secs. +See the timeout setting options in the Network Debug and Troubleshooting Guide. +2023-05-10 15:51:04,081 p=46513 u=rob n=ansible | shutdown complete +2023-05-10 15:51:04,081 p=46514 u=rob n=ansible | shutdown complete +2023-05-10 15:51:15,179 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:51:15,186 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : install openv-server DH] ********************************************************************************************************************************************************************************** +2023-05-10 15:51:15,206 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:15,214 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:15,225 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:51:15,229 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:20,903 p=46395 u=rob n=ansible | changed: [ovpn-server] +2023-05-10 15:51:20,913 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : create ldap-auth.config] ********************************************************************************************************************************************************************************** +2023-05-10 15:51:20,938 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:20,947 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:20,956 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:51:20,961 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:22,675 p=46508 u=rob n=p=46508 u=rob | paramiko [ovpn-server] | Connected (version 2.0, client OpenSSH_9.2p1) +2023-05-10 15:51:22,982 p=46508 u=rob n=p=46508 u=rob | paramiko [ovpn-server] | Authentication (publickey) successful! +2023-05-10 15:51:23,960 p=46508 u=rob n=p=46508 u=rob | paramiko [ovpn-server] | Connected (version 2.0, client OpenSSH_9.2p1) +2023-05-10 15:51:24,239 p=46508 u=rob n=p=46508 u=rob | paramiko [ovpn-server] | Authentication (publickey) successful! +2023-05-10 15:51:24,554 p=46395 u=rob n=ansible | changed: [ovpn-server] +2023-05-10 15:51:24,562 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : setup openv-server] *************************************************************************************************************************************************************************************** +2023-05-10 15:51:24,585 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:24,594 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:24,604 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:51:24,608 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:36,392 p=46395 u=rob n=ansible | [WARNING]: To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device including the indentation + +2023-05-10 15:51:36,392 p=46395 u=rob n=ansible | changed: [ovpn-server] +2023-05-10 15:51:36,400 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : generate openvpn client conifg] *************************************************************************************************************************************************************************** +2023-05-10 15:51:36,425 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:36,433 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:36,443 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:51:36,447 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:37,890 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:51:37,899 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : ansible.builtin.set_fact] ********************************************************************************************************************************************************************************* +2023-05-10 15:51:37,922 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:37,931 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:37,941 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:51:37,946 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:38,970 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:51:38,980 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : debug] **************************************************************************************************************************************************************************************************** +2023-05-10 15:51:39,012 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:39,018 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:39,022 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:51:39,027 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:40,051 p=46395 u=rob n=ansible | ok: [ovpn-server] => { + "msg": "client\nnobind\nremote 198.51.100.254 1194\nremote-cert-tls server\nproto udp\ndev tun\ndev-type tun\npersist-key\npersist-tun\nverb 3\n\n# Encryption options\n\nkeysize 256\ncomp-lzo no\n\n<ca>\n-----BEGIN CERTIFICATE-----\nMIIFnTCCA4WgAwIBAgIUORUZbBsuy0QupoJFJgXenSJ9AQQwDQYJKoZIhvcNAQEL\nBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM\nCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y\nMzA1MTAxMzQ5MDlaFw0zMzA1MDcxMzQ5MDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYD\nVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5\nT1MxEDAOBgNVBAMMB3Z5b3MuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\nAoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQ\nd2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfv\nO77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51r\nVYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9l\nen5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJv\nb5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37\nX/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyC\nMlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8E\nsr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2\ni/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLq\nHN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABo2EwXzAP\nBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF\nBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFG1bKeDc0O/cCwaarX59BCMSJDujMA0G\nCSqGSIb3DQEBCwUAA4ICAQBWI+p8tBzy6CO8ImP5DBQFwnVBv+6T59na2JrEq7nZ\nk0aBITWh9PRp5w+ZOe+cL9jHZEJNoaSjq3/bkF/CSKCIoa0YiZX/MAs4d/EnttRh\ncudwgTbE6q0tIKDLlxoYI0Gpo7j48W1rPd0FKAc7igy4eQKOwDmqqG9gVmNTyyrT\n1pVvaic7Ok/c1QmVOEub0f7kW2EA4Zk9+HUVGHYdp3WfOX8QCI5nTrAO6YJrw+d1\nBUly6krnb7NWDkWarJ51e6TAR1dz4zp++jhNVssEHbLQyA7+HzWnRSbxYndxCPBn\noXjQRwx8/3uUubj9l3CDIb1424D0sm8TNslhElD41/Ir1uQ/RRt15O1CKQJg6mpv\nDtgrOik+vpUMqBDYGQ38XgqzHYV1klCjo5NlNP33TRvlQe9B6LtxzBZvoxBfxYDI\nheSRdPbKP8DEHZ6z9d0d1Ubo/waExlcrUfBt4bbxNebsx9nuvVl8hl0R0iEInMjN\n3jaPrSrUEsPcXpBVL+VhzuWG7zTfGGUVIB+5UC/VCiFP+9LPqsfgBvXKIfIlj2db\nLJOsoxZrJtXq7Jvdn7NqFo7vR0hw+YIzmnCFAGpTx6yuWpjuf2y5dY48iTfMuP2v\nUoGRxoO+8wFQONj4psAD524SnOpEwYw+3fuw+P5zC6hT9y4XkZKsEnu6nJjB8T0B\nlA==\n-----END CERTIFICATE-----\n\n</ca>\n\n<cert>\n-----BEGIN CERTIFICATE-----\nMIIFsDCCA5igAwIBAgIUXOnWUTwh0zWkUX+LTlftlfkEGqAwDQYJKoZIhvcNAQEL\nBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM\nCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y\nMzA1MTAxMzQ5MjhaFw0zMzA1MDcxMzQ5MjhaMFYxCzAJBgNVBAYTAkdCMRMwEQYD\nVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5\nT1MxDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\nggIBAJgTHdmee0dFlbohSBF+Xy8XjWpCKnfXGNgr9JgU9+lzQ8SR+Z83XcRocvJX\nasSf4gDZK05pGhyXTx9KzTaYAZi1ZCK4pZ1fXZ+TdHgThLdLW7h/xDF3WU0omydC\nGiBkua3kldcRfhPnBYrWZwvHkeUOYNybRezM/fIGpnp74+YBXybGZ8YRLmRhc/j1\nQDJt0DLvVxfb6YkfU/vuSLnPtu40Ye/EsOhuPcStC9Mmctxx3msZH417z2wWQNvY\n926ZUQCXophkkhNA3kxUcz+gdV5ECCO+KPa7r305olFgv7c4KSNih7MmYBEyKMS7\npA+CF9etEJs3VmHT9avGtKvDMW8XhoqpxTWQ15CNaEFGTxCejPuI+nFCoqtAN9Y9\nO/A6rsLuM6EuaDX2qjSUfDMnUVVclE7yL8JDZEOQZw970Mi+TnhbXfYEyvX8HJLk\n4Vg2JUc67jTDRiQfgWuJHiaPyrYX2ssP8LU/oOis638mHo+7YpJCSeqF0R4m6lSi\nQJNOz8knawp40Uu1iA9RqQrYT8MRt2quCRn2aUolvRmNB4dHS/2TUdHChBdDxylL\nzbFtZLkCiWwKKNvu3ZjxMua2AjYe904r+S4duow4MxfKUFsoMY6GlscGeReMXJVV\nx2i+580wF/tn+3k/9PUS90FoFhQCidfxib/Eo4rOT03awPGBAgMBAAGjdTBzMAwG\nA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC\nMB0GA1UdDgQWBBTTt3dGY9D07BI8V/0QmVI25bC+gDAfBgNVHSMEGDAWgBRtWyng\n3NDv3AsGmq1+fQQjEiQ7ozANBgkqhkiG9w0BAQsFAAOCAgEAKz+MT9JlvwUope8x\nrUuf+6s/fyiAvmQfGOAN6aBVyxO1+ZIAau6CXGJ9/MaJKF/Ju+V2zTpBVz2bFNxP\nHceY1z9rtQb0l+CG4elcsQY4vhouvDH+HoI8rP/jzFD25zsUmAlMaTZuLWU4WnVT\n2WhO5X1GZFKl5fT8ulyLx3rcb/CaiC6Kg+yi/tktFgpyWyjTMSVp9QBGYRudKVwK\nx585nb5a5Z+uLYBmYcYrRQvLWSQKGLb84qE8gOfek47FZCfoh7rlLpt8prFIW60x\nEarR4Ul/1xhs+2AqMw3mHuQrIxJgHvKoQHBkS/RadsRWglWasE0qm09BtoLeso1h\nZIXO2O830jXOYEZEuhE63iIHxBZUEUpurXt6he/IBL1l8UuRM6ArHtDo2awlnWlL\nUz34e1pSzLAtSfS9Iop+zxt/UDQtMCW/a2MQGB7m/kgCtICC0p8QsuGa8k/+SQOt\nTI1VAj/dJ2O5XFhfFYgDtT/XXa6o3nEmWW+KTtggcvGIyP0Huxq+6ShxrwKkXI0n\nWVffhVafcIkJnsUYTJu+Cx4KpilKV6+lzRQhK7UHfS0hErs0UQoZA4Fpz2uWukNe\n2fezl0IJThWPklGKOYriZyKb4i81i3occ1+9YpzKUrBD2ZI+t0Exp73/cfuQbiCO\niIu80S44myiZMfD2OPvjR0lBSoE=\n-----END CERTIFICATE-----\n\n</cert>\n\n<key>\n-----BEGIN PRIVATE KEY-----\nMIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCYEx3ZnntHRZW6\nIUgRfl8vF41qQip31xjYK/SYFPfpc0PEkfmfN13EaHLyV2rEn+IA2StOaRocl08f\nSs02mAGYtWQiuKWdX12fk3R4E4S3S1u4f8Qxd1lNKJsnQhogZLmt5JXXEX4T5wWK\n1mcLx5HlDmDcm0XszP3yBqZ6e+PmAV8mxmfGES5kYXP49UAybdAy71cX2+mJH1P7\n7ki5z7buNGHvxLDobj3ErQvTJnLccd5rGR+Ne89sFkDb2PdumVEAl6KYZJITQN5M\nVHM/oHVeRAgjvij2u699OaJRYL+3OCkjYoezJmARMijEu6QPghfXrRCbN1Zh0/Wr\nxrSrwzFvF4aKqcU1kNeQjWhBRk8Qnoz7iPpxQqKrQDfWPTvwOq7C7jOhLmg19qo0\nlHwzJ1FVXJRO8i/CQ2RDkGcPe9DIvk54W132BMr1/ByS5OFYNiVHOu40w0YkH4Fr\niR4mj8q2F9rLD/C1P6DorOt/Jh6Pu2KSQknqhdEeJupUokCTTs/JJ2sKeNFLtYgP\nUakK2E/DEbdqrgkZ9mlKJb0ZjQeHR0v9k1HRwoQXQ8cpS82xbWS5AolsCijb7t2Y\n8TLmtgI2HvdOK/kuHbqMODMXylBbKDGOhpbHBnkXjFyVVcdovufNMBf7Z/t5P/T1\nEvdBaBYUAonX8Ym/xKOKzk9N2sDxgQIDAQABAoICAA4nLuhOc620TOHn1nCEwNbX\ncjQfi7R5VcwXxymr2RvzO/oPr3PBPN5Nh2+FC20L1J/i/KdNaJgDMvw4EEI49ZXg\n2wlqNhIGSpnSQnNcaaxML9fLa31CqZJ6dkbtXXro6BwsqA9Xuh9sqQ585rxpBFIV\nIcmjDJs9w5KVsNyF92jnQfpDWjjlgQ2BjlmiRY+/IMwxi/r7kgM1FOVfWon3sJ0A\nGtWsPUSpSEfFTR9UUDmyjt8lYiASRw5WdQ6g5WJExyeiQe69FjIDH803Yz4Nym6N\nliGLDjGF646tevnoFaxqsyI8BmITbu4BK48nrkMG05fUeQIURw6Cu5xf7JE7Vzgy\n7mBwujtkEuRmXz9LsJTaWt5I/sXDUh0Uwe0BGYj5O+8MB7yzQFBjhv6pLJZdySSV\ngSlmupbwtY2BcV48KuvPkzKngHXR8jA6p8XAQV2Xq2njQLsOKJrgEhbIp99h61ao\n5K6gtW056hSN4q01YA00JQZGKZRviUOuQGP71SNDPCl3uvvElVwBFtfEYV12VzFK\nye1fF2CcRThCEML91Qo/IueqrNEBVQHxnCO7R5uwKSkXZNJ5pNArMsAdMfLzXApD\nF3Dcctz/C9I0RG18EdtoW4RjPxEZ1wXHGVkvCpUCwNImsvxWOy78klnfEUyKtOCM\ndnn1flp0CiZzjGAMSiGbAoIBAQC9ZpY4XZ4v68KnaHyiqKjNQDU64wrONGK1XrMS\nwOl5a6Cg8S3n3d51E2AguFKilKZ1LJ721WGdEIO4+J9nFKvXYUSCl711cCh+njya\nE3a9H6louFVZ2X3NxjLUSJtqUyBEOE/NzNxhTt9BoiiR3cKUmhLLlYkHmLnqBv3j\nw4Trl/rU3rDemAf6zOB0eXKM946qjQpfB2LsokCWWsOhnT1XBcSEvkHvSrWv4EH/\n6IDFAROBGtlCW2C8BiosRdpj8thsdnW1lvGAvHs27nLMXz3/NNBX03dlA8YRaelm\nl0EDo0IwrXI7/u4Zy8wL3gfn/NPr0ST3jXz9K8nxvohPxwcfAoIBAQDNjIZs/HT6\nY2rTMH++rC3ZNfLUm/3aNsVl1TB8nkEvfBQHU5HEyqqeE4d/b3+7bRwWhVpfNHLe\nrMV8qNr8iAjvpeL5nvnmUPHLT0CpsI+wUvOlnluHGsCfyLWDNVBPcDL10scediYM\nkKGJGiQSbl355JbIrYxA5AgA7qUGcLQ7mGmwzXyJgmBMOJbDyYvoezh4iogWxC4C\nlh834UgmGWJp2Bi20VuqF00HClN+z1QELQN2Pu2SVK5XTlfXmuYHc3Bi1xvD2KaL\nyqT2BtWVRS9RDG0LOzgOAnG9Mx7SEtPAnRhpydx28HWEwGaFKas6QaIuDo92Blpo\n40ti2Yav4hNfAoIBAQC0m0SYDz2u+KQvuwVOnoII5zdbJfHB3FZcGSettGNus2EC\n17ksp3dgMM+zo9C41AM/LQOQ4L0qZvsUwZBPXXjX8xq/ZS7287LJut6TFgheI/kJ\nsO1CtpCuTldd8raw1v+nzgLbfoSQDgP6tET3g33u8lUF6Vw38D0omu4z6NexSMWZ\ng5kpSdQiJofKyZygK9jRbZj8MTD18WqhdX+jdyts9kUFR9/b7WP/iFunSfCw62vL\n6uxNyJEf+sjwWtP8BzC1jOiF9p/oYNMl+I9jr1aRK62YckAiBU00gchdWdJXQ7D0\ndhC+gURPOPUkQ99KKt9yuYcEwNj1GnKBoWyelm2FAoIBAHoj2bEjZuNudgjeVdpY\nd7oNm6kItJSZXT0ArJowc62ivkgIOaNFhpL+KdLoz27xC/K59RSDlwqIgaVstQvA\nTgcRfMk11WstiDB2fIcY2pk9AXjVm6+xjuqjmnBIGtvJYQ6/3ABW1o861jIg7XRi\nTsdyNMM0lRXuKm9bX4ZvLDoJfCxKPol7hntkWPooZlGT/t9p+ioFEw4IZK6Q2I2D\nIf6hITZpO13cELJxSWIeEt+UW+1EwWjllt9cN0hvy+Z7iznAdsgukfCZTuK+9uWH\nQfGYP6ef3dQ9UZbKrLLJ6zgWYW5jO/UVN8/VgFX6h7vLSnKxxj+s0MZo4d/wQF99\nKGMCggEACAWOCIerQRC51zo8eXOB65mmpR0nX/VuWCZw4uIo5tVZ47JskPIH9MTy\nd/OLbHDa3esJjmZawSl0lI0j7p/yY+J9TEJyOCUU9PCDUw+BeJ39/VqW/fyBn8gI\n1cC3BnPkDf2HnbgHxaCP37sy/aHs7Xn/bNDaLksEDWDblFCQ5tYqGbZhxUNnsx2x\n3z/aYJVmx0lkKXSA+8rKeAk+OnDHUjlJjpRIcAsQJE6Ni+2cHbYygVPXiFbbKk+2\nekNwYkhMZ+DP+t+uY5ZRfwq0jjIrh+5fyw26yG9PoXspGoqPCTcQ9BEqU88J6ziF\nrxWXbmsYdR1dnKCZXcKJVKqJIFCnyg==\n-----END PRIVATE KEY-----\n\n</key>" +} +2023-05-10 15:51:40,059 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : debug] **************************************************************************************************************************************************************************************************** +2023-05-10 15:51:40,091 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:40,099 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:40,100 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:51:40,108 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:41,160 p=46395 u=rob n=ansible | network_os is set to vyos +2023-05-10 15:51:41,163 p=46395 u=rob n=ansible | [WARNING]: ansible-pylibssh not installed, falling back to paramiko + +2023-05-10 15:51:41,169 p=46395 u=rob n=ansible | ok: [client] => { + "msg": { + "changed": false, + "skip_reason": "Conditional result was False", + "skipped": true + } +} +2023-05-10 15:51:41,175 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : install Client Cert] ************************************************************************************************************************************************************************************** +2023-05-10 15:51:41,200 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:41,210 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:41,218 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:51:41,227 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:42,267 p=46644 u=rob n=ansible | [DEPRECATION WARNING]: PlayContext.verbosity is deprecated, use +ansible.utils.display.Display.verbosity instead. This feature will be removed +in version 2.18. Deprecation warnings can be disabled by setting +deprecation_warnings=False in ansible.cfg. +2023-05-10 15:51:42,938 p=46644 u=rob n=p=46644 u=rob | paramiko [client] | Connected (version 2.0, client OpenSSH_9.2p1) +2023-05-10 15:51:43,304 p=46644 u=rob n=p=46644 u=rob | paramiko [client] | Authentication (publickey) successful! +2023-05-10 15:51:51,002 p=46395 u=rob n=ansible | changed: [client] +2023-05-10 15:51:51,010 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : install CA on Client] ************************************************************************************************************************************************************************************* +2023-05-10 15:51:51,035 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:51,043 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:51,051 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:51:51,060 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:51:55,745 p=46395 u=rob n=ansible | changed: [client] +2023-05-10 15:51:55,753 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : setup client] ********************************************************************************************************************************************************************************************* +2023-05-10 15:51:55,778 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:51:55,786 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:51:55,793 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:51:55,802 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:05,361 p=46395 u=rob n=ansible | changed: [client] +2023-05-10 15:52:05,371 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: Login to EVE-NG and get Cookie] ******************************************************************************************************************************************************** +2023-05-10 15:52:05,401 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:05,409 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:05,412 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:05,417 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:07,968 p=46395 u=rob n=ansible | ok: [eveng] +2023-05-10 15:52:07,978 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: stop nodes id] ************************************************************************************************************************************************************************* +2023-05-10 15:52:08,013 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:52:08,016 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:08,018 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:08,023 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:08,030 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:08,034 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: wait after stop] *********************************************************************************************************************************************************************** +2023-05-10 15:52:08,047 p=46395 u=rob n=ansible | Pausing for 5 seconds +2023-05-10 15:52:08,048 p=46395 u=rob n=ansible | (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
+2023-05-10 15:52:13,060 p=46395 u=rob n=ansible | ok: [eveng] +2023-05-10 15:52:13,069 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: start nodes id] ************************************************************************************************************************************************************************ +2023-05-10 15:52:13,106 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:52:13,108 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:13,110 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:13,116 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:13,123 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:13,126 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: wait after start] ********************************************************************************************************************************************************************** +2023-05-10 15:52:13,139 p=46395 u=rob n=ansible | Pausing for 5 seconds +2023-05-10 15:52:13,139 p=46395 u=rob n=ansible | (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
+2023-05-10 15:52:18,152 p=46395 u=rob n=ansible | ok: [eveng] +2023-05-10 15:52:18,162 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: wait, b/c the ping often failed without a short break] ********************************************************************************************************************************* +2023-05-10 15:52:18,182 p=46395 u=rob n=ansible | Pausing for 30 seconds +2023-05-10 15:52:18,183 p=46395 u=rob n=ansible | (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
+2023-05-10 15:52:48,196 p=46395 u=rob n=ansible | ok: [eveng] +2023-05-10 15:52:48,206 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: do ping test] ************************************************************************************************************************************************************************** +2023-05-10 15:52:48,243 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:52:48,246 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:48,246 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:48,257 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:53,912 p=46395 u=rob n=ansible | ok: [client] => (item=192.168.1.1) +2023-05-10 15:52:53,921 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: execute test commands] ***************************************************************************************************************************************************************** +2023-05-10 15:52:53,947 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:52:53,956 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:53,958 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:53,962 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:53,971 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:53,974 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: register stdout commands] ************************************************************************************************************************************************************** +2023-05-10 15:52:53,999 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:52:54,002 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:54,010 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:54,016 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:56,105 p=46395 u=rob n=ansible | ok: [ovpn-server] => (item={'name': 'show_client', 'command': 'show openvpn server'}) +2023-05-10 15:52:56,113 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: Set variables] ************************************************************************************************************************************************************************* +2023-05-10 15:52:56,144 p=46395 u=rob n=ansible | skipping: [eveng] +2023-05-10 15:52:56,145 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:56,152 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:56,160 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:57,191 p=46395 u=rob n=ansible | ok: [ovpn-server] +2023-05-10 15:52:57,203 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: make sure output dir exist] ************************************************************************************************************************************************************ +2023-05-10 15:52:57,237 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:57,246 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:57,248 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:57,278 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:57,510 p=46395 u=rob n=ansible | ok: [eveng -> localhost] +2023-05-10 15:52:57,513 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: make sure output include dir exist] **************************************************************************************************************************************************** +2023-05-10 15:52:57,536 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:57,547 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:57,547 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:57,555 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:57,742 p=46395 u=rob n=ansible | ok: [eveng -> localhost] +2023-05-10 15:52:57,746 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: Get timestamp from the system] ********************************************************************************************************************************************************* +2023-05-10 15:52:57,765 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:57,771 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:57,774 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:57,779 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:58,651 p=46395 u=rob n=ansible | changed: [eveng] +2023-05-10 15:52:58,660 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: Set variables] ************************************************************************************************************************************************************************* +2023-05-10 15:52:58,690 p=46395 u=rob n=ansible | ok: [eveng] +2023-05-10 15:52:58,698 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:58,701 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:58,701 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:58,706 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:58,711 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: generate lab rst file] ***************************************************************************************************************************************************************** +2023-05-10 15:52:58,734 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:58,742 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:58,745 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:58,750 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:59,270 p=46395 u=rob n=ansible | changed: [eveng -> localhost] +2023-05-10 15:52:59,275 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: find all *.conf files in Lab] ********************************************************************************************************************************************************** +2023-05-10 15:52:59,298 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:59,306 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:59,308 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:59,314 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:59,568 p=46395 u=rob n=ansible | ok: [eveng -> localhost] +2023-05-10 15:52:59,574 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: copy all *.conf files] ***************************************************************************************************************************************************************** +2023-05-10 15:52:59,599 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:52:59,609 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:52:59,611 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:52:59,618 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:52:59,995 p=46395 u=rob n=ansible | ok: [eveng -> localhost] => (item={'path': 'labs/OpenVPN_with_LDAP/ovpn-server.conf', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 501, 'gid': 20, 'size': 810, 'inode': 3231536, 'dev': 16777229, 'nlink': 1, 'atime': 1682786301.5902777, 'mtime': 1682786299.53471, 'ctime': 1682786299.53471, 'gr_name': 'staff', 'pw_name': 'rob', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False}) +2023-05-10 15:53:00,389 p=46395 u=rob n=ansible | ok: [eveng -> localhost] => (item={'path': 'labs/OpenVPN_with_LDAP/client.conf', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 501, 'gid': 20, 'size': 477, 'inode': 3231532, 'dev': 16777229, 'nlink': 1, 'atime': 1682681063.1554656, 'mtime': 1682681061.5118814, 'ctime': 1682681061.5118814, 'gr_name': 'staff', 'pw_name': 'rob', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False}) +2023-05-10 15:53:00,395 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: find all *.config files in Lab] ******************************************************************************************************************************************************** +2023-05-10 15:53:00,417 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:53:00,425 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:53:00,427 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:53:00,432 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:53:00,617 p=46395 u=rob n=ansible | ok: [eveng -> localhost] +2023-05-10 15:53:00,622 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: copy all *.config files] *************************************************************************************************************************************************************** +2023-05-10 15:53:00,646 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:53:00,656 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:53:00,658 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:53:00,664 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:53:01,034 p=46395 u=rob n=ansible | changed: [eveng -> localhost] => (item={'path': 'labs/OpenVPN_with_LDAP/ldap-auth.config', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 501, 'gid': 20, 'size': 241, 'inode': 7385173, 'dev': 16777229, 'nlink': 1, 'atime': 1682687502.4956439, 'mtime': 1682687500.6057715, 'ctime': 1682687500.6057715, 'gr_name': 'staff', 'pw_name': 'rob', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False}) +2023-05-10 15:53:01,040 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: find all *.png files in Lab] *********************************************************************************************************************************************************** +2023-05-10 15:53:01,063 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:53:01,071 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:53:01,074 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:53:01,079 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:53:01,259 p=46395 u=rob n=ansible | ok: [eveng -> localhost] +2023-05-10 15:53:01,265 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: copy all *.png files] ****************************************************************************************************************************************************************** +2023-05-10 15:53:01,289 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:53:01,298 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:53:01,300 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:53:01,306 p=46395 u=rob n=ansible | skipping: [ldap-server] +2023-05-10 15:53:01,674 p=46395 u=rob n=ansible | ok: [eveng -> localhost] => (item={'path': 'labs/OpenVPN_with_LDAP/topology.png', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 501, 'gid': 20, 'size': 40891, 'inode': 7535943, 'dev': 16777229, 'nlink': 1, 'atime': 1682894454.9541955, 'mtime': 1682781250.8242838, 'ctime': 1682781303.849814, 'gr_name': 'staff', 'pw_name': 'rob', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False}) +2023-05-10 15:53:01,679 p=46395 u=rob n=ansible | TASK [eve-ng-lab-test : OpenVPN_with_LDAP: copy ansible log files] **************************************************************************************************************************************************************** +2023-05-10 15:53:01,701 p=46395 u=rob n=ansible | skipping: [vyos-oobm] +2023-05-10 15:53:01,708 p=46395 u=rob n=ansible | skipping: [ovpn-server] +2023-05-10 15:53:01,710 p=46395 u=rob n=ansible | skipping: [client] +2023-05-10 15:53:01,716 p=46395 u=rob n=ansible | skipping: [ldap-server] diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst new file mode 100644 index 00000000..0322b301 --- /dev/null +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst @@ -0,0 +1,265 @@ +.. _examples-OpenVPN-with-LDAP: + +################# +OpenVPN with LDAP +################# + +| Testdate: 2023-05-10 +| Version: 1.4-rolling-202304280615 + +This LAB show how to uwe OpenVPN with a Active Directory authentication backend. + +The Topology are consists of: + * Windows Server 2019 with a running Active Directory + * VyOS as a OpenVPN Server + * VyOS as Client + +.. image:: _include/topology.png + :alt: OpenVPN with LDAP topology image + +Active Directory on Windows server +================================== + +The Lab asume a full running Active Directory on the Windows Server. +Here are some PowerShell commands to quickly add a Test Active Directory. + +.. code-block:: powershell + + # install the Active Directory Server role + Install-WindowsFeature AD-Domain-Services -IncludeManagementTools + + # install the Active Directory Server role + Install-ADDSForest -DomainName "vyos.local" -DomainNetBiosName "VYOS" -InstallDns:$true -NoRebootCompletion:$true + + # create test user01 and binduser + New-ADUser binduser -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true + New-ADUser user01 -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true + + +Configuration VyOS as OpenVPN Server +==================================== + +In this example OpenVPN will be setup with a client certificate and username / password authentication. + +First a CA, a signed server and client ceftificate and a Diffie-Hellman parameter musst be generated and installed. +Please look :ref:`here <configuration/pki/index:pki>` for more information. + +| Add the LDAP plugin configuration file `/config/auth/ldap-auth.config` +| Check all possible settings `here <https://github.com/threerings/openvpn-auth-ldap/blob/master/auth-ldap.conf>`_ + +.. literalinclude:: _include/ldap-auth.config + :language: none + + +Now generate all required certificates on the ovpn-server: + +first the PCA + +.. code-block:: none + + vyos@ovpn-server# run generate pki ca install OVPN-CA + +after this create a signed server and a client certificate + +.. code-block:: none + + vyos@ovpn-server# run generate pki certificate sign OVPN-CA install SRV + vyos@ovpn-server# run generate pki certificate sign OVPN-CA install CLIENT + +and last the DH Key + +.. code-block:: none + + vyos@ovpn-server# run generate pki dh install DH + +after all these steps the config look like this: + +.. code-block:: none + + set pki ca OVPN-CA certificate 'MIIFnTCCA4WgAwIBAgIUORUZbBsuy0QupoJFJgXenSJ9AQQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA1MTAxMzQ5MDlaFw0zMzA1MDcxMzQ5MDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQd2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfvO77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51rVYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9len5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJvb5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37X/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyCMlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8Esr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2i/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLqHN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFG1bKeDc0O/cCwaarX59BCMSJDujMA0GCSqGSIb3DQEBCwUAA4ICAQBWI+p8tBzy6CO8ImP5DBQFwnVBv+6T59na2JrEq7nZk0aBITWh9PRp5w+ZOe+cL9jHZEJNoaSjq3/bkF/CSKCIoa0YiZX/MAs4d/EnttRhcudwgTbE6q0tIKDLlxoYI0Gpo7j48W1rPd0FKAc7igy4eQKOwDmqqG9gVmNTyyrT1pVvaic7Ok/c1QmVOEub0f7kW2EA4Zk9+HUVGHYdp3WfOX8QCI5nTrAO6YJrw+d1BUly6krnb7NWDkWarJ51e6TAR1dz4zp++jhNVssEHbLQyA7+HzWnRSbxYndxCPBnoXjQRwx8/3uUubj9l3CDIb1424D0sm8TNslhElD41/Ir1uQ/RRt15O1CKQJg6mpvDtgrOik+vpUMqBDYGQ38XgqzHYV1klCjo5NlNP33TRvlQe9B6LtxzBZvoxBfxYDIheSRdPbKP8DEHZ6z9d0d1Ubo/waExlcrUfBt4bbxNebsx9nuvVl8hl0R0iEInMjN3jaPrSrUEsPcXpBVL+VhzuWG7zTfGGUVIB+5UC/VCiFP+9LPqsfgBvXKIfIlj2dbLJOsoxZrJtXq7Jvdn7NqFo7vR0hw+YIzmnCFAGpTx6yuWpjuf2y5dY48iTfMuP2vUoGRxoO+8wFQONj4psAD524SnOpEwYw+3fuw+P5zC6hT9y4XkZKsEnu6nJjB8T0BlA==' + set pki ca OVPN-CA private key 'MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQd2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfvO77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51rVYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9len5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJvb5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37X/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyCMlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8Esr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2i/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLqHN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABAoICABBB3L90WlxmmlqLMhyMirJWixtzNYxJ8j2As5HsChbmwh1XHKjEehKUuFOtTxuImWKGHsyU/B9n8w474IH5l7rz5CE7rFe46BRCHYWSp/pWav9mWCLxRJi68az9DfifWFKyqYR5fnFovQcVPXlC8FmYXWvQ+OMGRu+gcQ6N+wk75giPEw9rDQHw+kjfRuz/gZmSgTG7jDMc+47AvAnT/DFs9fp+81MmZdcxwpcBdpWl+rFdzDcg3/zrYr3zngekrizvCPLXt8C2r4EdnSkoFHyIIb8s63HwiqmG8Edj2SFIJx0tArw9AE7+9t8BAKSOU+N5eMwDQANUqWU4Gg2Q/bGNX7G8E9nm4/DvGarNjSitVaLeLeJqLxSOz2jmCq1rvi92m4sY42kAhM8JXTfN5KnZOF9TUumm4CbzO1zuP/E8QFQZL2BJCpYKIKJ5fNjDvHMSehodGxYV3nbmfNqQpFq1I33OwDteJf6mjEZVrbF3CutM0+lDXeR+Vhp/6MeuDC4FJ0ZF2Ixpw0o3OBn9Yb808TwAmLgFGycTD1OFujvR0K30fhwJ2HPkUnQmErUWjuCZ/qlohmX7RM3ffioq7LyeeHeSykwrd4v2BJjW711lLvnp1Stfj+xLO1RdbKjh6q8TxJj9+NHAvVguPVNGkvs5o2UAfE1bvFDCd1mSBxFVAoIBAQDTMXs6xE/RcSlecV544Pq0NRYMidO3M2cqox19vxSJf1U2AyPYD5SHeDwyAwMP6cJ4kd8rK4yoXWruKpNSt7BAvy0q0TWBjFsbTRH6aPsE1S9hyIXj3GKoBt6j1SzNiIGsU5V+t0c7JTTCbxnvRNfhFth7Kqymh/37NIDm+iE/HILA/yBfafvQF/a3HsmwdkcvWiZLNIVYMGZsn5G1eNfJw5M7m/15qYBDf6iV2bCuj+VowIDLHh9jGyNyxJ0u906De9w/0wiD50Bm8G31W5dIsz9UzBHBKwTe9Ubnd4cearxqpi0Zc7EBSNJExR8FGeQJ/5QFGWabKLm0VzRbBbHfAoIBAQDQt0WfPgQ5Gw5bfpyYygNi2snFSkkFkf9Ch2SOhWrTLGhmFlhBTdd4wjIUyNKuQe09keKhPBrMc4yMLmSQZTKocry2ydzOqXFq+ECWhVixvbp0nFpH1ClMh5EnabbLcOAQdZyysy7/Lt//L7pKTpFuJrk9TxAzLRa5QG8tussJMNC0xJxCYc+rZ4087JCxOFEwbCArIIqqLQu3CEmURdroniNybHIArAyPyHkbEDvEusuPU/uk7jc94djbM6s2BN9Y8gOWbw7K+swm0NCUH5pend1OHIMlI83SfEjCjFzwrRl+VhcLjRhCW9UXUV36LI1hQ+c9FfGSKPY7oyRu/LEdAoIBAEO/KLeWR8B423tnRJXkHaf3K4aEI/0tqRd9UbWHuS/OP+heo33oqY23XR/x5WaSZwbETGGNy8YqiWWzFKVBNXHfob6Nc+uFuagNVgoM6REIzfVBHOoWRTN/WKYXeRLJikdcXKVUZ64qZj1E5H3jiJi0+mawLsgQ8cFGe18ct9OF8s+0R48z8Uo0lbjyUGKh3n3rHkObqna6t/B6U4RyKk6XxUAm7u27GOEOL2c6eLnWgRHURrxhglIJX5quRXnObUoyTlnO+XlOklMzJyLA6cuxbExoVf2wLhTTe5Y+uoJgXOadPfRfL1WpJYJX9XZucr9eU/46wrZdHw0huDLGpeMCggEAWgwoMor8IXMl352hjF3j1huU39Sr6oZRve9SGBdBvngzVpAfZZVi+Eu4dbUrCFmTNHQjdfLLkRftNHGzm4S9tWVDPA2dgWAjecY/f3FqkczMjBEE9mZ3pvf6TSnT3rQFR7SmdYbPKPOdWqjJ09NP9VkppGTfFWVHn4dIME+d14pDESqeTBmNEmNr0TQzPPKSPLT5sAGrMb6bhk1CCYGV77SCkJRvHxEbnlEcxutbDgaVWnIeaMsJ9F3jRLdnD7hMcECCAb5KgJJxz/FZe/6iiF3NpCyy/CwVWdGbRqxuULwt+o7EBIzMQZ0DM7s8M3pTSPqV4on8HlYj3hkF2AiXlQKCAQEAl/1xRGHZ1yGkX812AVfy4tZaPImhGcM3tQdBvfAIuEWb6veoBC50BoCO6hyO5yEHQWWniSDcueIUNJuRxOHES+UUV0c7JtI5BaTUYiMuFlYoAJoUann9fpMnxRdKKvWNyVg/j4cLjO5jcYVLfQAPGujJyPAPlWvNZYSuRHcIWs+bX1hsv26047gAmOHlxkvgQicD805AX9G02pHTpoYF436HCSneOrUm6z3xKbVJCKsAGgYch67R1rC9Z8USLRB5mKZ8G8LPQRKjgW5bFM8oDUbmcmy56LKQeOEqC59LGClEWoYyR6vMQBXPg7de+2zzQyh+zk1paXHc+s3p4vc7dQ==' + set pki certificate SRV certificate 'MIIFtTCCA52gAwIBAgIUZJNkauiY/nr9YRSXB0LGtSaCay0wDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA1MTAxMzQ5MTlaFw0zMzA1MDcxMzQ5MTlaMFsxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxFDASBgNVBAMMC292cG4tc2VydmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsSiZK5zaOJrtCiWAsQFZaGtbAOM4xzfwW871A/p1cfmEsQ2sso71TVY6j2VHzN+LyZe8nfyUK+tTx0PrkoHaH3e2S4/3hqiPFhedLXffjMEqEfTfYjNLyzFc6Zfmez4UB+ehLlSWlOkhqIUTiWVz7HyI51C68vYkH7jpgkM8AZta98F/SbgvViFZAcrq3Tq8zO/lrd9/8heScYAgmBLxklKXxYW2GDwBFOnbITz/nFSgg8w+Y3pDPOnXe7H0aufI5GK8SvuxNK2Is8g3YvyF9UQwIJPZYy2Pn8Av5i/GHZC0qu/d76+18OdrXELC5dSCyGfqj2DQ/SJXPqlgwgVBqPcp3lhoycD68aGf+uedu6aWUldglYlij8ubxIL8kHnJK32MDoIGq5wDwdKBmknLkt+ja3uOG+9lyjbh40im+u2efkzK0cVBfJzOQQhs0cSbWSjhebsvzFZGg6G3gGhnRo13s2DVJJKm+5VruUFxmRRgTM3TpKz/YZHvtapfyOiTs63ezG/OR1pUk1u2HuFDmfbY4ytAWkJrjK1R9ap9p0t9QenXgHAzPd/GudYnJ3FS0SUrjWswbg5HrhZupjvP3X04pQ0LRfU6VimykyXBeP2qd2wPDGywIQmGG+O0lnWo4GZcwHbFJOq/eGCvMFMWlY+Wvc9bPCCgsFOcn8aM34sCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFFnsRTERh8wQZAHlQE0cvQgINyHmMB8GA1UdIwQYMBaAFG1bKeDc0O/cCwaarX59BCMSJDujMA0GCSqGSIb3DQEBCwUAA4ICAQCY/ZezExvFSXU3Y+vKHlL9AJp25yaVn6MdQmpX/YTM19HQcL64MP2M0uMTUzi0OlG7WP3Ka5wYH+3R++4VLPqygZ5DArFxtv34matKQVTKmf3S+0iVReLqyFBfTlvHBXXce+ksOqyHrg9B0teND7wNmpbL/Dzg41jacZTeWAY+8PShDY5wVFfp3MJt1Lm19nNcMbe/hMeffBY2CQgGx3Lp7YQepxwGhTxf/w2kNBjVUXkXqIGNc9/cQMU+HWnMGTMa1XREXAH9dSM7ME2JD/HKIPNgVkQuXs7AsGCbCTrXfIjEv7/4uSE6cMM/0WoU/Cj2gddnLsHcsrBu0WfoRbeR6+ZCeoDDz5ZRnGkkOXFldRswZRun9gh5MMjcHw3y4zeGm8YwxIDA6GzE03D8ROFrFiCHqylkCy8kSP/B0Uw5Nu8WuQPN6RfX90RMKf+BwHdipqL1g30ILgy6yZ2Geb9zJfwGoN0w1IKesEubJwAXp1iyujwPH+QvvH3HK0p83hyiHpkRqKWs6xTEPdtlDEf+w6bKO67yySIpdSlBGopNmG/1Y5gXheMcIUu152VuwJRxdyld1RmN1vG/5UWZqwO4XZJ8CUO5VWMDtCOOUOIezuquU0d11Lj0cj/bKnHcW6V7YUIWazgJLnrA9aYVfN5ErKWPK+ceQeLf6mhStwLcqA==' + set pki certificate SRV private key 'MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCxKJkrnNo4mu0KJYCxAVloa1sA4zjHN/BbzvUD+nVx+YSxDayyjvVNVjqPZUfM34vJl7yd/JQr61PHQ+uSgdofd7ZLj/eGqI8WF50td9+MwSoR9N9iM0vLMVzpl+Z7PhQH56EuVJaU6SGohROJZXPsfIjnULry9iQfuOmCQzwBm1r3wX9JuC9WIVkByurdOrzM7+Wt33/yF5JxgCCYEvGSUpfFhbYYPAEU6dshPP+cVKCDzD5jekM86dd7sfRq58jkYrxK+7E0rYizyDdi/IX1RDAgk9ljLY+fwC/mL8YdkLSq793vr7Xw52tcQsLl1ILIZ+qPYND9Ilc+qWDCBUGo9yneWGjJwPrxoZ/65527ppZSV2CViWKPy5vEgvyQeckrfYwOggarnAPB0oGaScuS36Nre44b72XKNuHjSKb67Z5+TMrRxUF8nM5BCGzRxJtZKOF5uy/MVkaDobeAaGdGjXezYNUkkqb7lWu5QXGZFGBMzdOkrP9hke+1ql/I6JOzrd7Mb85HWlSTW7Ye4UOZ9tjjK0BaQmuMrVH1qn2nS31B6deAcDM938a51icncVLRJSuNazBuDkeuFm6mO8/dfTilDQtF9TpWKbKTJcF4/ap3bA8MbLAhCYYb47SWdajgZlzAdsUk6r94YK8wUxaVj5a9z1s8IKCwU5yfxozfiwIDAQABAoICAC+4fWX7lua3iNF6X6uObvyLKpTXICS9wz+fxG1BaqB8c4tT4SiqDJa7+wNEZ25e6yMu/e5aqrkX51XeTFcHJm/iidbZ3XXG8uAjFUI5r5yVLdVvbjrgEXMXBW2g7sNU6gVlFgxKWdOb5uajjistCmhx9VjF7M3kkr9+ylu966yNIhhp5XVAqXOcgQLUG6bjGxdjKa3H7gmS4u4y8tS0CaF+IQbiaTYm962f/th5u2rret91xXp7ZSBD5zkZKvsfG4S1uf3Cxa2obxHqhUzjM9xo9UPZP64RCEaieOSbCtVM9PW0rkZRwQM2+zr7es95Co+cOllL3Y/KT9D/xCIPU2uSrVisdqi3TPHOn96GOlYvenIMsIauuR1KI2Ai9H380xVdFUv655eJZ5ASIosr8AL9hOxZNV/VeYHPWajhSa+P6MFZx4jFeXIbxt1BioeL6izbmFdxTgYDAhjZGWw2irnBuIcM6j8r6xom0Nfa8SbTgkf3M4yjYk4MP+rkCW8jhpZMqcvQPpWCbq5HEgNIKBrxkQo87Rphocn4KuxZ70lTpPE/4iOABadqreLPYqp9VTd5bvApKCdFZdnF9DdoHUBpDbNqbj85W8E2WMCJBrZZfTUIV05klQ0JM1cbQXyRz1BwhvuGDxEP2nQRQYbWeBfbDg0tXBuIwOZqIp9Om/kVAoIBAQDEwjW8YDAjKbgOvcd18pGG7E8xB6s0Tpo3AKvOezg4Z1yWeCx4eM6kKXxsHBAHb1fpxL0mkDusr0NgZyW4EuTl+EdQHu0i03YfayfLMSKLPtcqtamyPlCsRnHw6TdfblRfVk5URpF656M6fIKXokc/4yhYOCAWGHPQWgZpWeOlWtTMKRiDqJGO+VbRw8rNBcq5i7hnvH8ESLQrwS4EIOVvmdypod4UpML26EEfNKJD2zaMLaMMqbMGt/q/HUIcB+PRgV0oaM4HB59DNrdFbeZuU3PEXofU9uYFiv1MJzzfVPVBKjEXuqUDe0R5Op4K0KasdqQop5Oh55NxGxb1JttvAoIBAQDmf6c/xz1hjfOTGxZydgD210GVYEFB2EdZnn47TuNXOjPFk8FRva6qU6txezU7DmF356jE0NlAWgD6SoFtpqSKbrxrvxPjGHOYS3fXHD6FK9vlv3jqcoiQBPy2KP59wpkIpcQ+gKqgR/nfaWvfOb3IfqER6QtqvSxK5hInbj6xcZ32cCeSAEG0EH5Mh3DiMuctwZY/l1PKCvt0fn5N0KBvLMCTZBkqQcTL635yLMgDs0PtkKzf8k2FjCjkXZ4nYoQcZ41/bzfnxjitzGiSYp6V/Oq71ZKjjNyjEBOoFRXY1THVpONc1Afct2j54p74mKxcKZaGF2Df7xszvf3TgR+lAoIBAG95QIyLSnqBhmADsV/nn/97Hpq+p4apCcIjxTLkqMN7+/7b8wYGG7zyLCXr+EDeGka9ShTxHn4Fhfy2M66INdr8wRppixxyBbhjM1ZxbgrJ/YmbBpuPppEUEDXXS6Hrli21bgddO8sQNXBLXomeTROrFQ52LeeWzva6KmvBm7HxNiK9HcBp3p3MMh4B+YISx/o7aKyNJME+l6U6e2GnaZXC7DvHE1VKy5Krn0mYvl4Hcm4U5Q2lj2I9Ffj1EKFk7vOhgTAFwMRG0zp3Y3oYe7cB3NLiY76Ka2O0jTF6AYjeT10uFEZHXnoMeozcYvHpqKSJSxQlbQULeINaP7WA4E0CggEADy4A+bZJWI9cpyd1hvw2fAsZCplYMtnneQNzFLzRRAFVP4HHjXaMdjMka0jN7KG50Ye0GaIXbKGAxvr5IxuCYouAZSgkSyRlGHZ/4e6+P07wIGVHtUjtrW5mpih0+htCsMsZ7XPTyNJ0pj3vGLhYw0dznBZY5iKnNBeKwoYEIvN0j7I7KOZTbWRYrPmOeZcYmm7RUkbJAdlPThC2iLFgn3G3DP3emmXSbAuKPEKuuW+o3ZBVkjoG2PCuELwJmlZmlOhM7UOJzv3C5c88Y8eS4hXR76TVD2hLb4GzibI5yhngOk2tm4NrMSHzC+Hczkpfr4Ido58OhjDc/b9ZZABw8QKCAQEAlJNCdC5rFwg7AoHfobbRnpYjs+avaLUj6EV0AAqbSFM3+o3UVOxRGkbHqLm4DqcRRyMoRXxgeKFx5dInK9rrVGRaoTzE7c/Atp2N7SXgodz3jrcPhTHqF1Z4eBjbwvNPumYK7N2U8PtV4OTvihUSpPRN0IgPuGvo9OFVuKenag1rDu1pZlxOQ2uuiostAkdZ6qS45tf0rjCjcpq1DYqgVm785GXCgBMZATZyLzg4nhDpoKWIZevFFCek1CAO7s9X1kHUin/uDutX/lvWMed8TpP0yD7IZ6yh3CYD2Nus+8P3Mla6lMrwyY1VJzq7wXGr9P6u47tUcCgjyRT24EHjlg==' + set pki certificate CLIENT certificate 'MIIFsDCCA5igAwIBAgIUXOnWUTwh0zWkUX+LTlftlfkEGqAwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA1MTAxMzQ5MjhaFw0zMzA1MDcxMzQ5MjhaMFYxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJgTHdmee0dFlbohSBF+Xy8XjWpCKnfXGNgr9JgU9+lzQ8SR+Z83XcRocvJXasSf4gDZK05pGhyXTx9KzTaYAZi1ZCK4pZ1fXZ+TdHgThLdLW7h/xDF3WU0omydCGiBkua3kldcRfhPnBYrWZwvHkeUOYNybRezM/fIGpnp74+YBXybGZ8YRLmRhc/j1QDJt0DLvVxfb6YkfU/vuSLnPtu40Ye/EsOhuPcStC9Mmctxx3msZH417z2wWQNvY926ZUQCXophkkhNA3kxUcz+gdV5ECCO+KPa7r305olFgv7c4KSNih7MmYBEyKMS7pA+CF9etEJs3VmHT9avGtKvDMW8XhoqpxTWQ15CNaEFGTxCejPuI+nFCoqtAN9Y9O/A6rsLuM6EuaDX2qjSUfDMnUVVclE7yL8JDZEOQZw970Mi+TnhbXfYEyvX8HJLk4Vg2JUc67jTDRiQfgWuJHiaPyrYX2ssP8LU/oOis638mHo+7YpJCSeqF0R4m6lSiQJNOz8knawp40Uu1iA9RqQrYT8MRt2quCRn2aUolvRmNB4dHS/2TUdHChBdDxylLzbFtZLkCiWwKKNvu3ZjxMua2AjYe904r+S4duow4MxfKUFsoMY6GlscGeReMXJVVx2i+580wF/tn+3k/9PUS90FoFhQCidfxib/Eo4rOT03awPGBAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBTTt3dGY9D07BI8V/0QmVI25bC+gDAfBgNVHSMEGDAWgBRtWyng3NDv3AsGmq1+fQQjEiQ7ozANBgkqhkiG9w0BAQsFAAOCAgEAKz+MT9JlvwUope8xrUuf+6s/fyiAvmQfGOAN6aBVyxO1+ZIAau6CXGJ9/MaJKF/Ju+V2zTpBVz2bFNxPHceY1z9rtQb0l+CG4elcsQY4vhouvDH+HoI8rP/jzFD25zsUmAlMaTZuLWU4WnVT2WhO5X1GZFKl5fT8ulyLx3rcb/CaiC6Kg+yi/tktFgpyWyjTMSVp9QBGYRudKVwKx585nb5a5Z+uLYBmYcYrRQvLWSQKGLb84qE8gOfek47FZCfoh7rlLpt8prFIW60xEarR4Ul/1xhs+2AqMw3mHuQrIxJgHvKoQHBkS/RadsRWglWasE0qm09BtoLeso1hZIXO2O830jXOYEZEuhE63iIHxBZUEUpurXt6he/IBL1l8UuRM6ArHtDo2awlnWlLUz34e1pSzLAtSfS9Iop+zxt/UDQtMCW/a2MQGB7m/kgCtICC0p8QsuGa8k/+SQOtTI1VAj/dJ2O5XFhfFYgDtT/XXa6o3nEmWW+KTtggcvGIyP0Huxq+6ShxrwKkXI0nWVffhVafcIkJnsUYTJu+Cx4KpilKV6+lzRQhK7UHfS0hErs0UQoZA4Fpz2uWukNe2fezl0IJThWPklGKOYriZyKb4i81i3occ1+9YpzKUrBD2ZI+t0Exp73/cfuQbiCOiIu80S44myiZMfD2OPvjR0lBSoE=' + set pki certificate CLIENT private key 'MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCYEx3ZnntHRZW6IUgRfl8vF41qQip31xjYK/SYFPfpc0PEkfmfN13EaHLyV2rEn+IA2StOaRocl08fSs02mAGYtWQiuKWdX12fk3R4E4S3S1u4f8Qxd1lNKJsnQhogZLmt5JXXEX4T5wWK1mcLx5HlDmDcm0XszP3yBqZ6e+PmAV8mxmfGES5kYXP49UAybdAy71cX2+mJH1P77ki5z7buNGHvxLDobj3ErQvTJnLccd5rGR+Ne89sFkDb2PdumVEAl6KYZJITQN5MVHM/oHVeRAgjvij2u699OaJRYL+3OCkjYoezJmARMijEu6QPghfXrRCbN1Zh0/WrxrSrwzFvF4aKqcU1kNeQjWhBRk8Qnoz7iPpxQqKrQDfWPTvwOq7C7jOhLmg19qo0lHwzJ1FVXJRO8i/CQ2RDkGcPe9DIvk54W132BMr1/ByS5OFYNiVHOu40w0YkH4FriR4mj8q2F9rLD/C1P6DorOt/Jh6Pu2KSQknqhdEeJupUokCTTs/JJ2sKeNFLtYgPUakK2E/DEbdqrgkZ9mlKJb0ZjQeHR0v9k1HRwoQXQ8cpS82xbWS5AolsCijb7t2Y8TLmtgI2HvdOK/kuHbqMODMXylBbKDGOhpbHBnkXjFyVVcdovufNMBf7Z/t5P/T1EvdBaBYUAonX8Ym/xKOKzk9N2sDxgQIDAQABAoICAA4nLuhOc620TOHn1nCEwNbXcjQfi7R5VcwXxymr2RvzO/oPr3PBPN5Nh2+FC20L1J/i/KdNaJgDMvw4EEI49ZXg2wlqNhIGSpnSQnNcaaxML9fLa31CqZJ6dkbtXXro6BwsqA9Xuh9sqQ585rxpBFIVIcmjDJs9w5KVsNyF92jnQfpDWjjlgQ2BjlmiRY+/IMwxi/r7kgM1FOVfWon3sJ0AGtWsPUSpSEfFTR9UUDmyjt8lYiASRw5WdQ6g5WJExyeiQe69FjIDH803Yz4Nym6NliGLDjGF646tevnoFaxqsyI8BmITbu4BK48nrkMG05fUeQIURw6Cu5xf7JE7Vzgy7mBwujtkEuRmXz9LsJTaWt5I/sXDUh0Uwe0BGYj5O+8MB7yzQFBjhv6pLJZdySSVgSlmupbwtY2BcV48KuvPkzKngHXR8jA6p8XAQV2Xq2njQLsOKJrgEhbIp99h61ao5K6gtW056hSN4q01YA00JQZGKZRviUOuQGP71SNDPCl3uvvElVwBFtfEYV12VzFKye1fF2CcRThCEML91Qo/IueqrNEBVQHxnCO7R5uwKSkXZNJ5pNArMsAdMfLzXApDF3Dcctz/C9I0RG18EdtoW4RjPxEZ1wXHGVkvCpUCwNImsvxWOy78klnfEUyKtOCMdnn1flp0CiZzjGAMSiGbAoIBAQC9ZpY4XZ4v68KnaHyiqKjNQDU64wrONGK1XrMSwOl5a6Cg8S3n3d51E2AguFKilKZ1LJ721WGdEIO4+J9nFKvXYUSCl711cCh+njyaE3a9H6louFVZ2X3NxjLUSJtqUyBEOE/NzNxhTt9BoiiR3cKUmhLLlYkHmLnqBv3jw4Trl/rU3rDemAf6zOB0eXKM946qjQpfB2LsokCWWsOhnT1XBcSEvkHvSrWv4EH/6IDFAROBGtlCW2C8BiosRdpj8thsdnW1lvGAvHs27nLMXz3/NNBX03dlA8YRaelml0EDo0IwrXI7/u4Zy8wL3gfn/NPr0ST3jXz9K8nxvohPxwcfAoIBAQDNjIZs/HT6Y2rTMH++rC3ZNfLUm/3aNsVl1TB8nkEvfBQHU5HEyqqeE4d/b3+7bRwWhVpfNHLerMV8qNr8iAjvpeL5nvnmUPHLT0CpsI+wUvOlnluHGsCfyLWDNVBPcDL10scediYMkKGJGiQSbl355JbIrYxA5AgA7qUGcLQ7mGmwzXyJgmBMOJbDyYvoezh4iogWxC4Clh834UgmGWJp2Bi20VuqF00HClN+z1QELQN2Pu2SVK5XTlfXmuYHc3Bi1xvD2KaLyqT2BtWVRS9RDG0LOzgOAnG9Mx7SEtPAnRhpydx28HWEwGaFKas6QaIuDo92Blpo40ti2Yav4hNfAoIBAQC0m0SYDz2u+KQvuwVOnoII5zdbJfHB3FZcGSettGNus2EC17ksp3dgMM+zo9C41AM/LQOQ4L0qZvsUwZBPXXjX8xq/ZS7287LJut6TFgheI/kJsO1CtpCuTldd8raw1v+nzgLbfoSQDgP6tET3g33u8lUF6Vw38D0omu4z6NexSMWZg5kpSdQiJofKyZygK9jRbZj8MTD18WqhdX+jdyts9kUFR9/b7WP/iFunSfCw62vL6uxNyJEf+sjwWtP8BzC1jOiF9p/oYNMl+I9jr1aRK62YckAiBU00gchdWdJXQ7D0dhC+gURPOPUkQ99KKt9yuYcEwNj1GnKBoWyelm2FAoIBAHoj2bEjZuNudgjeVdpYd7oNm6kItJSZXT0ArJowc62ivkgIOaNFhpL+KdLoz27xC/K59RSDlwqIgaVstQvATgcRfMk11WstiDB2fIcY2pk9AXjVm6+xjuqjmnBIGtvJYQ6/3ABW1o861jIg7XRiTsdyNMM0lRXuKm9bX4ZvLDoJfCxKPol7hntkWPooZlGT/t9p+ioFEw4IZK6Q2I2DIf6hITZpO13cELJxSWIeEt+UW+1EwWjllt9cN0hvy+Z7iznAdsgukfCZTuK+9uWHQfGYP6ef3dQ9UZbKrLLJ6zgWYW5jO/UVN8/VgFX6h7vLSnKxxj+s0MZo4d/wQF99KGMCggEACAWOCIerQRC51zo8eXOB65mmpR0nX/VuWCZw4uIo5tVZ47JskPIH9MTyd/OLbHDa3esJjmZawSl0lI0j7p/yY+J9TEJyOCUU9PCDUw+BeJ39/VqW/fyBn8gI1cC3BnPkDf2HnbgHxaCP37sy/aHs7Xn/bNDaLksEDWDblFCQ5tYqGbZhxUNnsx2x3z/aYJVmx0lkKXSA+8rKeAk+OnDHUjlJjpRIcAsQJE6Ni+2cHbYygVPXiFbbKk+2ekNwYkhMZ+DP+t+uY5ZRfwq0jjIrh+5fyw26yG9PoXspGoqPCTcQ9BEqU88J6ziFrxWXbmsYdR1dnKCZXcKJVKqJIFCnyg==' + set pki dh DH parameters 'MIIBCAKCAQEArXG91W69LiDsmnDvXjXl9eJzEY0f/SLuipxqYRYdplgWbD3IQlMBtp66onNrb11ZVJa0jkddq3qJbJPZ4mTkb+wGH2bpdAgWx48k+c/JCBSF56NoAHLUhn/+UWHvzfOQOLYVJD4maTxWw4f9WlInANS/B/BQY+Z7zWuEX2F5dnBij5hlMHwgRxq86m4Wm3WNXyux4plVqtW0Htrm0Cl5m+SV04bDA4D5SK22hW8L4FnnPQmlzBb1nRdpolw6SdZKs/bgSfV2wGMfe3Yh0afdOLg5AI2sfgAl/7fCPOXUwaDuqSOkXAEnGqzD+XbuMdJ7947HMumODkOty5j3ysn/hwIBAg==' + +Once all the required certificates and keys are installed, the remaining +OpenVPN Server configuration can be carried out. + +.. literalinclude:: _include/ovpn-server.conf + :language: none + +Client configuration +==================== + +One advantage of having the client certificate stored is the ability to create the client configuration. + +.. code-block:: none + + vyos@ovpn-server:~$ generate openvpn client-config interface vtun10 ca OVPN-CA certificate CLIENT + +save the output to a file and import it in nearly all openvpn clients. + +.. code-block:: none + + client + nobind + remote 198.51.100.254 1194 + remote-cert-tls server + proto udp + dev tun + dev-type tun + persist-key + persist-tun + verb 3 + + # Encryption options + + keysize 256 + comp-lzo no + + <ca> + -----BEGIN CERTIFICATE----- + MIIFnTCCA4WgAwIBAgIUORUZbBsuy0QupoJFJgXenSJ9AQQwDQYJKoZIhvcNAQEL + BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM + CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y + MzA1MTAxMzQ5MDlaFw0zMzA1MDcxMzQ5MDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYD + VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5 + T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK + AoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQ + d2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfv + O77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51r + VYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9l + en5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJv + b5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37 + X/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyC + MlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8E + sr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2 + i/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLq + HN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABo2EwXzAP + BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF + BQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFG1bKeDc0O/cCwaarX59BCMSJDujMA0G + CSqGSIb3DQEBCwUAA4ICAQBWI+p8tBzy6CO8ImP5DBQFwnVBv+6T59na2JrEq7nZ + k0aBITWh9PRp5w+ZOe+cL9jHZEJNoaSjq3/bkF/CSKCIoa0YiZX/MAs4d/EnttRh + cudwgTbE6q0tIKDLlxoYI0Gpo7j48W1rPd0FKAc7igy4eQKOwDmqqG9gVmNTyyrT + 1pVvaic7Ok/c1QmVOEub0f7kW2EA4Zk9+HUVGHYdp3WfOX8QCI5nTrAO6YJrw+d1 + BUly6krnb7NWDkWarJ51e6TAR1dz4zp++jhNVssEHbLQyA7+HzWnRSbxYndxCPBn + oXjQRwx8/3uUubj9l3CDIb1424D0sm8TNslhElD41/Ir1uQ/RRt15O1CKQJg6mpv + DtgrOik+vpUMqBDYGQ38XgqzHYV1klCjo5NlNP33TRvlQe9B6LtxzBZvoxBfxYDI + heSRdPbKP8DEHZ6z9d0d1Ubo/waExlcrUfBt4bbxNebsx9nuvVl8hl0R0iEInMjN + 3jaPrSrUEsPcXpBVL+VhzuWG7zTfGGUVIB+5UC/VCiFP+9LPqsfgBvXKIfIlj2db + LJOsoxZrJtXq7Jvdn7NqFo7vR0hw+YIzmnCFAGpTx6yuWpjuf2y5dY48iTfMuP2v + UoGRxoO+8wFQONj4psAD524SnOpEwYw+3fuw+P5zC6hT9y4XkZKsEnu6nJjB8T0B + lA== + -----END CERTIFICATE----- + + </ca> + + <cert> + -----BEGIN CERTIFICATE----- + MIIFsDCCA5igAwIBAgIUXOnWUTwh0zWkUX+LTlftlfkEGqAwDQYJKoZIhvcNAQEL + BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM + CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y + MzA1MTAxMzQ5MjhaFw0zMzA1MDcxMzQ5MjhaMFYxCzAJBgNVBAYTAkdCMRMwEQYD + VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5 + T1MxDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC + ggIBAJgTHdmee0dFlbohSBF+Xy8XjWpCKnfXGNgr9JgU9+lzQ8SR+Z83XcRocvJX + asSf4gDZK05pGhyXTx9KzTaYAZi1ZCK4pZ1fXZ+TdHgThLdLW7h/xDF3WU0omydC + GiBkua3kldcRfhPnBYrWZwvHkeUOYNybRezM/fIGpnp74+YBXybGZ8YRLmRhc/j1 + QDJt0DLvVxfb6YkfU/vuSLnPtu40Ye/EsOhuPcStC9Mmctxx3msZH417z2wWQNvY + 926ZUQCXophkkhNA3kxUcz+gdV5ECCO+KPa7r305olFgv7c4KSNih7MmYBEyKMS7 + pA+CF9etEJs3VmHT9avGtKvDMW8XhoqpxTWQ15CNaEFGTxCejPuI+nFCoqtAN9Y9 + O/A6rsLuM6EuaDX2qjSUfDMnUVVclE7yL8JDZEOQZw970Mi+TnhbXfYEyvX8HJLk + 4Vg2JUc67jTDRiQfgWuJHiaPyrYX2ssP8LU/oOis638mHo+7YpJCSeqF0R4m6lSi + QJNOz8knawp40Uu1iA9RqQrYT8MRt2quCRn2aUolvRmNB4dHS/2TUdHChBdDxylL + zbFtZLkCiWwKKNvu3ZjxMua2AjYe904r+S4duow4MxfKUFsoMY6GlscGeReMXJVV + x2i+580wF/tn+3k/9PUS90FoFhQCidfxib/Eo4rOT03awPGBAgMBAAGjdTBzMAwG + A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC + MB0GA1UdDgQWBBTTt3dGY9D07BI8V/0QmVI25bC+gDAfBgNVHSMEGDAWgBRtWyng + 3NDv3AsGmq1+fQQjEiQ7ozANBgkqhkiG9w0BAQsFAAOCAgEAKz+MT9JlvwUope8x + rUuf+6s/fyiAvmQfGOAN6aBVyxO1+ZIAau6CXGJ9/MaJKF/Ju+V2zTpBVz2bFNxP + HceY1z9rtQb0l+CG4elcsQY4vhouvDH+HoI8rP/jzFD25zsUmAlMaTZuLWU4WnVT + 2WhO5X1GZFKl5fT8ulyLx3rcb/CaiC6Kg+yi/tktFgpyWyjTMSVp9QBGYRudKVwK + x585nb5a5Z+uLYBmYcYrRQvLWSQKGLb84qE8gOfek47FZCfoh7rlLpt8prFIW60x + EarR4Ul/1xhs+2AqMw3mHuQrIxJgHvKoQHBkS/RadsRWglWasE0qm09BtoLeso1h + ZIXO2O830jXOYEZEuhE63iIHxBZUEUpurXt6he/IBL1l8UuRM6ArHtDo2awlnWlL + Uz34e1pSzLAtSfS9Iop+zxt/UDQtMCW/a2MQGB7m/kgCtICC0p8QsuGa8k/+SQOt + TI1VAj/dJ2O5XFhfFYgDtT/XXa6o3nEmWW+KTtggcvGIyP0Huxq+6ShxrwKkXI0n + WVffhVafcIkJnsUYTJu+Cx4KpilKV6+lzRQhK7UHfS0hErs0UQoZA4Fpz2uWukNe + 2fezl0IJThWPklGKOYriZyKb4i81i3occ1+9YpzKUrBD2ZI+t0Exp73/cfuQbiCO + iIu80S44myiZMfD2OPvjR0lBSoE= + -----END CERTIFICATE----- + + </cert> + + <key> + -----BEGIN PRIVATE KEY----- + MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCYEx3ZnntHRZW6 + IUgRfl8vF41qQip31xjYK/SYFPfpc0PEkfmfN13EaHLyV2rEn+IA2StOaRocl08f + Ss02mAGYtWQiuKWdX12fk3R4E4S3S1u4f8Qxd1lNKJsnQhogZLmt5JXXEX4T5wWK + 1mcLx5HlDmDcm0XszP3yBqZ6e+PmAV8mxmfGES5kYXP49UAybdAy71cX2+mJH1P7 + 7ki5z7buNGHvxLDobj3ErQvTJnLccd5rGR+Ne89sFkDb2PdumVEAl6KYZJITQN5M + VHM/oHVeRAgjvij2u699OaJRYL+3OCkjYoezJmARMijEu6QPghfXrRCbN1Zh0/Wr + xrSrwzFvF4aKqcU1kNeQjWhBRk8Qnoz7iPpxQqKrQDfWPTvwOq7C7jOhLmg19qo0 + lHwzJ1FVXJRO8i/CQ2RDkGcPe9DIvk54W132BMr1/ByS5OFYNiVHOu40w0YkH4Fr + iR4mj8q2F9rLD/C1P6DorOt/Jh6Pu2KSQknqhdEeJupUokCTTs/JJ2sKeNFLtYgP + UakK2E/DEbdqrgkZ9mlKJb0ZjQeHR0v9k1HRwoQXQ8cpS82xbWS5AolsCijb7t2Y + 8TLmtgI2HvdOK/kuHbqMODMXylBbKDGOhpbHBnkXjFyVVcdovufNMBf7Z/t5P/T1 + EvdBaBYUAonX8Ym/xKOKzk9N2sDxgQIDAQABAoICAA4nLuhOc620TOHn1nCEwNbX + cjQfi7R5VcwXxymr2RvzO/oPr3PBPN5Nh2+FC20L1J/i/KdNaJgDMvw4EEI49ZXg + 2wlqNhIGSpnSQnNcaaxML9fLa31CqZJ6dkbtXXro6BwsqA9Xuh9sqQ585rxpBFIV + IcmjDJs9w5KVsNyF92jnQfpDWjjlgQ2BjlmiRY+/IMwxi/r7kgM1FOVfWon3sJ0A + GtWsPUSpSEfFTR9UUDmyjt8lYiASRw5WdQ6g5WJExyeiQe69FjIDH803Yz4Nym6N + liGLDjGF646tevnoFaxqsyI8BmITbu4BK48nrkMG05fUeQIURw6Cu5xf7JE7Vzgy + 7mBwujtkEuRmXz9LsJTaWt5I/sXDUh0Uwe0BGYj5O+8MB7yzQFBjhv6pLJZdySSV + gSlmupbwtY2BcV48KuvPkzKngHXR8jA6p8XAQV2Xq2njQLsOKJrgEhbIp99h61ao + 5K6gtW056hSN4q01YA00JQZGKZRviUOuQGP71SNDPCl3uvvElVwBFtfEYV12VzFK + ye1fF2CcRThCEML91Qo/IueqrNEBVQHxnCO7R5uwKSkXZNJ5pNArMsAdMfLzXApD + F3Dcctz/C9I0RG18EdtoW4RjPxEZ1wXHGVkvCpUCwNImsvxWOy78klnfEUyKtOCM + dnn1flp0CiZzjGAMSiGbAoIBAQC9ZpY4XZ4v68KnaHyiqKjNQDU64wrONGK1XrMS + wOl5a6Cg8S3n3d51E2AguFKilKZ1LJ721WGdEIO4+J9nFKvXYUSCl711cCh+njya + E3a9H6louFVZ2X3NxjLUSJtqUyBEOE/NzNxhTt9BoiiR3cKUmhLLlYkHmLnqBv3j + w4Trl/rU3rDemAf6zOB0eXKM946qjQpfB2LsokCWWsOhnT1XBcSEvkHvSrWv4EH/ + 6IDFAROBGtlCW2C8BiosRdpj8thsdnW1lvGAvHs27nLMXz3/NNBX03dlA8YRaelm + l0EDo0IwrXI7/u4Zy8wL3gfn/NPr0ST3jXz9K8nxvohPxwcfAoIBAQDNjIZs/HT6 + Y2rTMH++rC3ZNfLUm/3aNsVl1TB8nkEvfBQHU5HEyqqeE4d/b3+7bRwWhVpfNHLe + rMV8qNr8iAjvpeL5nvnmUPHLT0CpsI+wUvOlnluHGsCfyLWDNVBPcDL10scediYM + kKGJGiQSbl355JbIrYxA5AgA7qUGcLQ7mGmwzXyJgmBMOJbDyYvoezh4iogWxC4C + lh834UgmGWJp2Bi20VuqF00HClN+z1QELQN2Pu2SVK5XTlfXmuYHc3Bi1xvD2KaL + yqT2BtWVRS9RDG0LOzgOAnG9Mx7SEtPAnRhpydx28HWEwGaFKas6QaIuDo92Blpo + 40ti2Yav4hNfAoIBAQC0m0SYDz2u+KQvuwVOnoII5zdbJfHB3FZcGSettGNus2EC + 17ksp3dgMM+zo9C41AM/LQOQ4L0qZvsUwZBPXXjX8xq/ZS7287LJut6TFgheI/kJ + sO1CtpCuTldd8raw1v+nzgLbfoSQDgP6tET3g33u8lUF6Vw38D0omu4z6NexSMWZ + g5kpSdQiJofKyZygK9jRbZj8MTD18WqhdX+jdyts9kUFR9/b7WP/iFunSfCw62vL + 6uxNyJEf+sjwWtP8BzC1jOiF9p/oYNMl+I9jr1aRK62YckAiBU00gchdWdJXQ7D0 + dhC+gURPOPUkQ99KKt9yuYcEwNj1GnKBoWyelm2FAoIBAHoj2bEjZuNudgjeVdpY + d7oNm6kItJSZXT0ArJowc62ivkgIOaNFhpL+KdLoz27xC/K59RSDlwqIgaVstQvA + TgcRfMk11WstiDB2fIcY2pk9AXjVm6+xjuqjmnBIGtvJYQ6/3ABW1o861jIg7XRi + TsdyNMM0lRXuKm9bX4ZvLDoJfCxKPol7hntkWPooZlGT/t9p+ioFEw4IZK6Q2I2D + If6hITZpO13cELJxSWIeEt+UW+1EwWjllt9cN0hvy+Z7iznAdsgukfCZTuK+9uWH + QfGYP6ef3dQ9UZbKrLLJ6zgWYW5jO/UVN8/VgFX6h7vLSnKxxj+s0MZo4d/wQF99 + KGMCggEACAWOCIerQRC51zo8eXOB65mmpR0nX/VuWCZw4uIo5tVZ47JskPIH9MTy + d/OLbHDa3esJjmZawSl0lI0j7p/yY+J9TEJyOCUU9PCDUw+BeJ39/VqW/fyBn8gI + 1cC3BnPkDf2HnbgHxaCP37sy/aHs7Xn/bNDaLksEDWDblFCQ5tYqGbZhxUNnsx2x + 3z/aYJVmx0lkKXSA+8rKeAk+OnDHUjlJjpRIcAsQJE6Ni+2cHbYygVPXiFbbKk+2 + ekNwYkhMZ+DP+t+uY5ZRfwq0jjIrh+5fyw26yG9PoXspGoqPCTcQ9BEqU88J6ziF + rxWXbmsYdR1dnKCZXcKJVKqJIFCnyg== + -----END PRIVATE KEY----- + + </key> + + +Monitoring +========== + +If the client is connect successfully you can check the output with + +.. code-block:: none + + vyos@ovpn-server:~$ show openvpn server + OpenVPN status on vtun10 + + Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since + ----------- ------------------ ----------- ------------------- ---------- ---------- ------------------- + client 198.51.100.1:40297 10.23.1.6 198.51.100.254:1194 4.8 KB 4.8 KB 2023-05-10 13:52:01 diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/client.conf b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/client.conf new file mode 100644 index 00000000..fb101b12 --- /dev/null +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/client.conf @@ -0,0 +1,10 @@ +set interfaces ethernet eth1 address '198.51.100.1/24' +set interfaces openvpn vtun1 mode client +set interfaces openvpn vtun1 remote-host 198.51.100.254 +set interfaces openvpn vtun1 remote-port 1194 +set interfaces openvpn vtun1 protocol udp +set interfaces openvpn vtun1 tls certificate CLIENT +set interfaces openvpn vtun1 tls ca-certificate OVPN-CA + +set interfaces openvpn vtun1 authentication username 'user01' +set interfaces openvpn vtun1 authentication password 'P4ssw0rd123'
\ No newline at end of file diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ldap-auth.config b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ldap-auth.config new file mode 100644 index 00000000..0ae3dbc0 --- /dev/null +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ldap-auth.config @@ -0,0 +1,13 @@ +<LDAP> +URL ldap://192.168.1.10 +BindDN bind_user@vyos.local +Password P4ssw0rd123 +Timeout 15 +TLSEnable no +FollowReferrals no +</LDAP> +<Authorization> +BaseDN "DC=vyos,DC=local" +SearchFilter "sAMAccountName=%u" +RequireGroup false +</Authorization>
\ No newline at end of file diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ovpn-server.conf b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ovpn-server.conf new file mode 100644 index 00000000..982ec355 --- /dev/null +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ovpn-server.conf @@ -0,0 +1,15 @@ +set interface ethernet eth1 address '192.168.1.1/24' +set interface ethernet eth2 address '198.51.100.254/24' +set interfaces openvpn vtun10 local-host '198.51.100.254' +set interfaces openvpn vtun10 local-port '1194' +set interfaces openvpn vtun10 mode 'server' +set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config' +set interfaces openvpn vtun10 persistent-tunnel +set interfaces openvpn vtun10 protocol 'udp' +set interfaces openvpn vtun10 server push-route '192.168.1.0/24' +set interfaces openvpn vtun10 server subnet '10.23.1.0/24' + +set interfaces openvpn vtun10 tls ca-certificate OVPN-CA +set interfaces openvpn vtun10 tls certificate SRV +set interfaces openvpn vtun10 tls dh-params DH +set protocols static route 10.1.1.0/24 interface vtun10
\ No newline at end of file diff --git a/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/topology.png b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/topology.png Binary files differnew file mode 100644 index 00000000..382e44f6 --- /dev/null +++ b/docs/configexamples/autotest/OpenVPN_with_LDAP/_include/topology.png diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index b3610d3a..80083fe1 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -18,7 +18,6 @@ This chapter contains various configuration examples: pppoe-ipv6-basic l3vpn-hub-and-spoke inter-vrf-routing-vrf-lite - openvpn-ldap qos segment-routing-isis nmp @@ -52,3 +51,4 @@ The process will do the following steps: autotest/tunnelbroker/tunnelbroker autotest/L3VPN_EVPN/L3VPN_EVPN autotest/Wireguard/Wireguard + autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP diff --git a/docs/configexamples/openvpn-ldap.rst b/docs/configexamples/openvpn-ldap.rst deleted file mode 100644 index 402ab7f1..00000000 --- a/docs/configexamples/openvpn-ldap.rst +++ /dev/null @@ -1,94 +0,0 @@ -:lastproofread: 2023-01-29 - -.. _examples-openvvpn-ldap: - -######################### -OpenVPN with LDAP example -######################### - -Configuration AD and a windows server -===================================== - -We aim to configure LDAP authentication between the VYOS router and Windows Server 2019 (role: Active Directory) when our customers connect to our privet network using the OpenVPN client. -Using the general schema for example: - -.. image:: /_static/images/mainschema.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -.. code-block:: none - - VyOS - the main OpenVPN server - Winserver - windows server with role Active Directory - Win10-PC - OpenVPN customer with LDAP authentication - -First, we need to configure the AD service and create two accounts. One account for the LDAP adapter built into the VYOS router and a second even account for our test client. - -.. image:: /_static/images/ldapone.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -Picture 1 - Adding the AD role - -.. image:: /_static/images/ldaptwo.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -Picture 2 - Adding the AD role - -Configuration VyOS router -========================= - -Make the configuration file for the LDAP plugin. - -.. code-block:: none - - vyos@vyos:~$ sudo cat /config/auth/ldap-auth.config - <LDAP> - URL ldap://10.217.80.58 - BindDN userldap@corp.vyos.com - Password YourPass - Timeout 15 - TLSEnable no - FollowReferrals no - </LDAP> - <Authorization> - BaseDN "DC=corp,DC=vyos,DC=com" - SearchFilter "sAMAccountName=%u" - RequireGroup false - </Authorization> - - -**This specific example is for a windows server 2019**: - -* URL ldap://10.217.80.58 - The URL of your LDAP server -* BindDN userldap@corp.vyos.com - The BindDN of the users' directory -* BaseDN "DC=corp,DC=vyos,DC=com" - In the block <Authorization> notice your domain - -Make the main config for VyOS like VPN and Authorization server: - -.. code-block:: none - - set interfaces ethernet eth0 address 'dhcp' - set interfaces openvpn vtun10 local-port '1194' - set interfaces openvpn vtun10 mode 'server' - set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config' - set interfaces openvpn vtun10 persistent-tunnel - set interfaces openvpn vtun10 protocol 'udp' - set interfaces openvpn vtun10 server push-route 192.168.0.0/16 - set interfaces openvpn vtun10 server subnet '10.23.1.0/24' - set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/openvpn/ca.crt' - set interfaces openvpn vtun10 tls cert-file '/config/auth/openvpn/central.crt' - set interfaces openvpn vtun10 tls crl-file '/config/auth/openvpn/crl.pem' - set interfaces openvpn vtun10 tls dh-file '/config/auth/openvpn/dh.pem' - set interfaces openvpn vtun10 tls key-file '/config/auth/openvpn/central.key' - set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 - set service ssh port '22' - -Next, you need to install and configure the configuration file for the windows/Linux OpenVPN client. After connecting to the VPN servers, you will be prompted to go through LDAP authorization. - -**To automatically generate the openVPN configuration file for windows clients, you can use this link:** -https://ovpnconfig.com.br/
\ No newline at end of file |