summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2023-01-30 14:58:44 +0100
committerGitHub <noreply@github.com>2023-01-30 14:58:44 +0100
commit4ef9d2634d1b88870f8410213a68083b33cc1d01 (patch)
tree6760d1293c970d6a3519029f459678a5e22f9c8d
parent94c2d708b03bbdaf695d6a2d221a32cef2e2a088 (diff)
parent5a1aafec2e31378ab30b30e48fa47e2c0c831076 (diff)
downloadvyos-documentation-4ef9d2634d1b88870f8410213a68083b33cc1d01.tar.gz
vyos-documentation-4ef9d2634d1b88870f8410213a68083b33cc1d01.zip
Merge pull request #936 from mkorobeinikov/master
OpenVPN with LDAP example
-rw-r--r--docs/_static/images/ldapone.pngbin0 -> 88753 bytes
-rw-r--r--docs/_static/images/ldaptwo.pngbin0 -> 58322 bytes
-rw-r--r--docs/_static/images/mainschema.pngbin0 -> 78790 bytes
-rw-r--r--docs/configexamples/openvpn-ldap.rst92
4 files changed, 92 insertions, 0 deletions
diff --git a/docs/_static/images/ldapone.png b/docs/_static/images/ldapone.png
new file mode 100644
index 00000000..33ecf628
--- /dev/null
+++ b/docs/_static/images/ldapone.png
Binary files differ
diff --git a/docs/_static/images/ldaptwo.png b/docs/_static/images/ldaptwo.png
new file mode 100644
index 00000000..7cb9e0cb
--- /dev/null
+++ b/docs/_static/images/ldaptwo.png
Binary files differ
diff --git a/docs/_static/images/mainschema.png b/docs/_static/images/mainschema.png
new file mode 100644
index 00000000..c39e5da2
--- /dev/null
+++ b/docs/_static/images/mainschema.png
Binary files differ
diff --git a/docs/configexamples/openvpn-ldap.rst b/docs/configexamples/openvpn-ldap.rst
new file mode 100644
index 00000000..7fcc6b5f
--- /dev/null
+++ b/docs/configexamples/openvpn-ldap.rst
@@ -0,0 +1,92 @@
+:lastproofread: 2023-01-29
+
+.. _examples-openvvpn-ldap:
+
+OpenVPN with LDAP example
+-------------------
+
+Configuration AD and a windows server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+We aim to configure LDAP authentication between the VYOS router and Windows Server 2019 (role: Active Directory) when our customers connect to our privet network using the OpenVPN client.
+Using the general schema for example:
+
+.. image:: /_static/images/mainschema.png
+ :width: 80%
+ :align: center
+ :alt: Network Topology Diagram
+
+.. code-block:: none
+
+ VyOS - the main OpenVPN server
+ Winserver - windows server with role Active Directory
+ Win10-PC - OpenVPN customer with LDAP authentication
+
+First, we need to configure the AD service and create two accounts. One account for the LDAP adapter built into the VYOS router and a second even account for our test client.
+
+.. image:: /_static/images/ldapone.png
+ :width: 80%
+ :align: center
+ :alt: Network Topology Diagram
+
+Picture 1 - Adding the AD role
+
+.. image:: /_static/images/ldaptwo.png
+ :width: 80%
+ :align: center
+ :alt: Network Topology Diagram
+
+Picture 2 - Adding the AD role
+
+Configuration VyOS router
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Make the configuration file for the LDAP plugin.
+
+.. code-block:: none
+
+ vyos@vyos:~$ sudo cat /config/auth/ldap-auth.config
+ <LDAP>
+ URL ldap://10.217.80.58
+ BindDN userldap@corp.vyos.com
+ Password YourPass
+ Timeout 15
+ TLSEnable no
+ FollowReferrals no
+ </LDAP>
+ <Authorization>
+ BaseDN "DC=corp,DC=vyos,DC=com"
+ SearchFilter "sAMAccountName=%u"
+ RequireGroup false
+ </Authorization>
+
+
+**This specific example is for a windows server 2019**:
+
+* URL ldap://10.217.80.58 - The URL of your LDAP server
+* BindDN userldap@corp.vyos.com - The BindDN of the users' directory
+* BaseDN "DC=corp,DC=vyos,DC=com" - In the block <Authorization> notice your domain
+
+Make the main config for VyOS like VPN and Authorization server:
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address 'dhcp'
+ set interfaces openvpn vtun10 local-port '1194'
+ set interfaces openvpn vtun10 mode 'server'
+ set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config'
+ set interfaces openvpn vtun10 persistent-tunnel
+ set interfaces openvpn vtun10 protocol 'udp'
+ set interfaces openvpn vtun10 server push-route 192.168.0.0/16
+ set interfaces openvpn vtun10 server subnet '10.23.1.0/24'
+ set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/openvpn/ca.crt'
+ set interfaces openvpn vtun10 tls cert-file '/config/auth/openvpn/central.crt'
+ set interfaces openvpn vtun10 tls crl-file '/config/auth/openvpn/crl.pem'
+ set interfaces openvpn vtun10 tls dh-file '/config/auth/openvpn/dh.pem'
+ set interfaces openvpn vtun10 tls key-file '/config/auth/openvpn/central.key'
+ set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
+ set service ssh port '22'
+
+Next, you need to install and configure the configuration file for the windows/Linux OpenVPN client. After connecting to the VPN servers, you will be prompted to go through LDAP authorization.
+
+**To automatically generate the openVPN configuration file for windows clients, you can use this link:**
+https://ovpnconfig.com.br/ \ No newline at end of file