diff options
author | Robert Göhler <github@ghlr.de> | 2023-01-30 14:58:44 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-30 14:58:44 +0100 |
commit | 4ef9d2634d1b88870f8410213a68083b33cc1d01 (patch) | |
tree | 6760d1293c970d6a3519029f459678a5e22f9c8d | |
parent | 94c2d708b03bbdaf695d6a2d221a32cef2e2a088 (diff) | |
parent | 5a1aafec2e31378ab30b30e48fa47e2c0c831076 (diff) | |
download | vyos-documentation-4ef9d2634d1b88870f8410213a68083b33cc1d01.tar.gz vyos-documentation-4ef9d2634d1b88870f8410213a68083b33cc1d01.zip |
Merge pull request #936 from mkorobeinikov/master
OpenVPN with LDAP example
-rw-r--r-- | docs/_static/images/ldapone.png | bin | 0 -> 88753 bytes | |||
-rw-r--r-- | docs/_static/images/ldaptwo.png | bin | 0 -> 58322 bytes | |||
-rw-r--r-- | docs/_static/images/mainschema.png | bin | 0 -> 78790 bytes | |||
-rw-r--r-- | docs/configexamples/openvpn-ldap.rst | 92 |
4 files changed, 92 insertions, 0 deletions
diff --git a/docs/_static/images/ldapone.png b/docs/_static/images/ldapone.png Binary files differnew file mode 100644 index 00000000..33ecf628 --- /dev/null +++ b/docs/_static/images/ldapone.png diff --git a/docs/_static/images/ldaptwo.png b/docs/_static/images/ldaptwo.png Binary files differnew file mode 100644 index 00000000..7cb9e0cb --- /dev/null +++ b/docs/_static/images/ldaptwo.png diff --git a/docs/_static/images/mainschema.png b/docs/_static/images/mainschema.png Binary files differnew file mode 100644 index 00000000..c39e5da2 --- /dev/null +++ b/docs/_static/images/mainschema.png diff --git a/docs/configexamples/openvpn-ldap.rst b/docs/configexamples/openvpn-ldap.rst new file mode 100644 index 00000000..7fcc6b5f --- /dev/null +++ b/docs/configexamples/openvpn-ldap.rst @@ -0,0 +1,92 @@ +:lastproofread: 2023-01-29 + +.. _examples-openvvpn-ldap: + +OpenVPN with LDAP example +------------------- + +Configuration AD and a windows server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +We aim to configure LDAP authentication between the VYOS router and Windows Server 2019 (role: Active Directory) when our customers connect to our privet network using the OpenVPN client. +Using the general schema for example: + +.. image:: /_static/images/mainschema.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +.. code-block:: none + + VyOS - the main OpenVPN server + Winserver - windows server with role Active Directory + Win10-PC - OpenVPN customer with LDAP authentication + +First, we need to configure the AD service and create two accounts. One account for the LDAP adapter built into the VYOS router and a second even account for our test client. + +.. image:: /_static/images/ldapone.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +Picture 1 - Adding the AD role + +.. image:: /_static/images/ldaptwo.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +Picture 2 - Adding the AD role + +Configuration VyOS router +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Make the configuration file for the LDAP plugin. + +.. code-block:: none + + vyos@vyos:~$ sudo cat /config/auth/ldap-auth.config + <LDAP> + URL ldap://10.217.80.58 + BindDN userldap@corp.vyos.com + Password YourPass + Timeout 15 + TLSEnable no + FollowReferrals no + </LDAP> + <Authorization> + BaseDN "DC=corp,DC=vyos,DC=com" + SearchFilter "sAMAccountName=%u" + RequireGroup false + </Authorization> + + +**This specific example is for a windows server 2019**: + +* URL ldap://10.217.80.58 - The URL of your LDAP server +* BindDN userldap@corp.vyos.com - The BindDN of the users' directory +* BaseDN "DC=corp,DC=vyos,DC=com" - In the block <Authorization> notice your domain + +Make the main config for VyOS like VPN and Authorization server: + +.. code-block:: none + + set interfaces ethernet eth0 address 'dhcp' + set interfaces openvpn vtun10 local-port '1194' + set interfaces openvpn vtun10 mode 'server' + set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config' + set interfaces openvpn vtun10 persistent-tunnel + set interfaces openvpn vtun10 protocol 'udp' + set interfaces openvpn vtun10 server push-route 192.168.0.0/16 + set interfaces openvpn vtun10 server subnet '10.23.1.0/24' + set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/openvpn/ca.crt' + set interfaces openvpn vtun10 tls cert-file '/config/auth/openvpn/central.crt' + set interfaces openvpn vtun10 tls crl-file '/config/auth/openvpn/crl.pem' + set interfaces openvpn vtun10 tls dh-file '/config/auth/openvpn/dh.pem' + set interfaces openvpn vtun10 tls key-file '/config/auth/openvpn/central.key' + set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 + set service ssh port '22' + +Next, you need to install and configure the configuration file for the windows/Linux OpenVPN client. After connecting to the VPN servers, you will be prompted to go through LDAP authorization. + +**To automatically generate the openVPN configuration file for windows clients, you can use this link:** +https://ovpnconfig.com.br/
\ No newline at end of file |