Activities

January 2013
M T W T F S S
« Dec   Mar »
 123456
78910111213
14151617181920
21222324252627
28293031  

Integrating LDAP authentication on OpenVPN server

This post is useful for those who wish to integrate OpenVPN user login based on the active directory users. We can manage VPN users through the domain controller easily. configuration steps are very easy and can be done it in 2-3 hours.

Requirements

1. OpenVPN server having 2 user license is fine.
2. Windows 2008 Standard edition with Active Directory.
3. OpenVPN desktop Client tool.

Basic steps are shown below,

a. Install Active Directory Service and prepare a domain controller.
b. Enable LDAP support in Active Directory.
c. Configure LDAP entries in OpenVPN server.
d. Testing client connectivity using openvpn desktop client tool.

Here we go

Installing Windows 2008 server setup domain controller.

a. Adding Active directory roles to Server

Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder. Wait till it finishes loading, then click on Roles > Add Roles link

1. Click to select Active Directory Domain Services, and then click Next.
2. This will install Active Directory Domain service on server.

3. Next we need to configure domain controller. it can be install by Run– > type dcpromo command. Go through the following window,

Now we are going to enable the LDAP authentication support in Domain controller. Use the following steps,

Perfect !! system part was almost done

Now we need to create Domain user and VPN user group. By default all domain users will have VPN access which is a security concern and let’s not do that. So that I uses a permission set in OpenVPN to allow a special group members can use this OpenVPN connectivity.

Creating Domain users

Go to Start– > Administrative tools –> Active Directory User and Computers

Domain user Group creation

For example I created a user “user1” with “user@123” as password and added in the member of VPNUsers group.

Cool !!! let look at OpenVPN server then.

Login to OpenVPN admin UI

OpenVPn admin url will be like https://openvpnip/admin. See the screen shown below,

Now we are going to make the final changes required for LDAP integration.

Pls note that if we can use the user login “openvpn” can be used even if the LDAP authentication is made.

a. Click on “Authentication “ menu then choose “LDAP” from it. You may need to input the following details, Note my domain controller name is vpc.serveridol.com

a. Primary LDAP server IP : 10.0.1.200
b. Credentials for Initial Bind : vpc\administrator
c. Bind DN : DC=vpc, DC=serveridol, DC=com
d. Additional LDAP Requirement [ Pls note this option is used for identifying the users who belong to VPNUsers] group

Eg : memberOf=CN=VPNUsers, CN=Users, DC=vpc, DC=serveridol, DC=com

Pls note the LDAP binding user name is vpc\administrator not vpc.serveridol\Administrator

e. Click on Save button and restart the openVPN server through the web UI to make the changes. Now we need OpenVPN service reload to take effect the new settings.

Perfect !!! You’ve Done !! Next is to verify it. It can be test by try to login through the url using the Domain user credentials on VPN server’s client portal ie https://vpnip/

Here is the some instructions to how to get client vpn auth file and connect to VPN gateway.

1. User name and password
2. Client auth file which can be downloaded from https://vpnip/. Click user locked file to get the certificate.

How do I verify the OpenVPN +LDAP is working or not ?

1. You may need to login to Domain Controller using the administrator privileges and create a domain user.
2. Add this user to the member of VPNUsers group.

3. Login to the openvpn client login portal (https://VPNIP/?src=connect) using your domain user credentials. Pls choose the access type to “login”

4. You will see a screen as shown below. Click on the link “Youself ( user locked file)” which will automatically download to your desktop. VPN client access file name will be client.ovpn. We may need this for connecting server along with user credentials.

5. Install OpenVPN desktop client tool and add the install path (C:\Program Files\OpenVPN Technologies\OpenVPN Client\core) in system PATH.

6. Go to Start → Run → command , then navigate the path to where client.ovpn” file copied. Then execute the command openvpn –config client.ovpn.

You will see the screen like this finally

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>