In this article we will integrate OpenVPN to Domain Controller. But channel between client and server will be crypt with certificate.

The network configuration will be as follows:



About key generation you can read from Setup And Configure OpenVPN Server On CentOS 6.5 article. OpenVPN installed server is FreeBSD9.2 x64. Client desktop is Windows7 x64. Also Domain Controller will be neighbor with our OpenVPN server in internal network. Domain controller is Windows 2008 server.

DC credentials as follows:

DC: mercurial.lan

OU: mercurial

Group: mercurial

Test user: jamal

In our domain controller we already created group with name mercurial. And user jamal is member of mercurial group(We will use this user for connect). For test purpose we already created user elnur in Users group(This user must not connect to OpenVPN sevrer).





Start to work:

First one install required packets to our server:

[email protected]: # cd /usr/ports/security/openvpn-auth-ldap/

[email protected]: # make config # Choose modules



[email protected]: # make -DBATCH install # install

After install Auth-LDAP packet to our server this will add /usr/local/lib/openvpn-auth-ldap.so plugin to the server. This plugin helps us to connect Domain Controller. Create /usr/local/etc/openvpn/ad-auth.conf configuration file and add lines below to this file:

plugin /usr/local/lib/openvpn-auth-ldap.so “/usr/local/etc/openvpn/openvpn-auth-ldap.conf”

proto udp

port 1194

dev tun

server 192.168.200.0 255.255.255.0

ca /usr/local/etc/openvpn/ca.crt

cert /usr/local/etc/openvpn/openvpnserver.crt

key /usr/local/etc/openvpn/openvpnserver.key

client-cert-not-required

dh /usr/local/etc/openvpn/dh2048.pem

tls-auth /usr/local/etc/openvpn/ta.key 0

persist-key

persist-tun

keepalive 10 60

push “route 10.198.0.0 255.255.0.0”

topology subnet

user nobody

group nobody

daemon

log-append /var/log/openvpn.log

verb 5

For connect to Domain Controller the content of /usr/local/etc/openvpn/openvpn-auth-ldap.conf configuration file will be as follows:

<LDAP>

URL ldap://10.198.1.200

BindDN [email protected]

Password B123456789b

Timeout 15

</LDAP>

<Authorization>

BaseDN “DC=mercurial,DC=lan”

SearchFilter “(&(sAMAccountName=%u)(memberOf=CN=mercurial,OU=mercurial,DC=mercurial,DC=lan))”

</Authorization>

Note: Do not forget add IP of domain controller to your /etc/resolv.conf file in OpenVPN server. Otherwise Domain name on /usr/local/etc/openvpn/openvpn-auth-ldap.conf file will not be resolved.

nameserver 10.198.1.200

Start the OpenVPN server:

[email protected]:/usr/local/etc/openvpn # openvpn –config ad-auth.conf

And now create the client configuration file on Windows7 machine. Create file with name ad-udp-client.ovpn and add to the C:\Program Files\OpenVPN\config The content of ad-udp-client.ovpn file will be as follows:

client

auth-user-pass

proto udp

remote openvpnserver.example.com

port 1194

dev tun

nobind

ca “c:/program files/openvpn/config/ca.crt”

tls-auth “c:/program files/openvpn/config/ta.key” 1

ns-cert-type server

verb 5

Connect from Windows client:





State of openvpn client must be as follows:



In OpenVPN server /var/log/openvpn.log log file we must see the following lines:

Sun Apr 6 13:17:43 2014 us=626543 2.2.2.10:53829 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0

Sun Apr 6 13:17:43 2014 us=626715 2.2.2.10:53829 TLS: Username/Password authentication succeeded for username ‘jamal’

Sun Apr 6 13:17:43 2014 us=627135 2.2.2.10:53829 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key

Sun Apr 6 13:17:43 2014 us=627163 2.2.2.10:53829 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Sun Apr 6 13:17:43 2014 us=627235 2.2.2.10:53829 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key

Sun Apr 6 13:17:43 2014 us=627282 2.2.2.10:53829 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication

If you want to add OpenVPN server to StartUP just add the following lines to the /etc/rc.conf file:

openvpn_enable=”YES”

openvpn_if=”tun”

openvpn_configfile=”/usr/local/etc/openvpn/ad-auth.conf “

openvpn_dir=”/usr/local/etc/openvpn”