Set Up OpenVPN Server With Authentication Against OpenLDAP On Debian 6.0 (Squeeze) - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by eddiechen (Contact Author) (Forums) on Fri, 2011-03-25 14:46. ::

6 Enable IP Forwarding And Configure iptables

Edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:

[...]
#net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[...]

Issue the following command to ensure that your system is able to forward IPv4 traffic:

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit /etc/default/iptables and add the below. Let iptables open port 1194.

[...]
#openvpn
-A INPUT -p udp -m multiport --dport 1194 -j ACCEPT
[...]

Issue the following commands to set this variable for the current session:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:

#!/bin/sh
#
# [...]
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exit 0

 

7 Restart Related Services

We need to restart all related services to make the configuration work.

/etc/init.d/slapd restart
/etc/init.d/openvpn restart
/etc/init.d/iptables restart

 

8 Client Settings

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys

Edit the client.ovpn file to modify the following line:

[...]
# Add the vpn server
remote mail.example.com 1194
[...]
#Comment out the below two line  
#cert client.crt
#key client.key
[...]
#Add thes line at the botton
auth-user-pass

Copy the client.ovpn and ca.crt files to your client system. Also you can use mutt to send the files to your mailbox. You can log into your email account and download the files.

apt-get install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" www@example.com -a /etc/openvpn/easy-rsa/2.0/keys/config.zip < /usr/share/doc/openvpn/README

 

Installing OpenVPN GUI On Windows XP / Vista / Windows 7

Download the client software here: http://openvpn.net/index.php/open-source/downloads.html. After installation, put the client.ovpn and ca.crt files to C:\Program Files\OpenVPN\config.

IMPORTANT NOTE FOR VISTA and Windows 7 USERS:

Note that on Windows Vista and Windows 7, you will need to run the OpenVPN GUI with administrator privileges, so that it can add routes to the routing table that are pulled from the OpenVPN server. You can do this by right-clicking on the OpenVPN GUI desktop icon, and selecting "Run as administrator".

Now you can use the account www@example.com to connect to the vpn.

Now you can access the Internet through VPN; you can check on http://www.whatismyip.com if the IP address is the server IP address.

 

9 Troubleshooting

Before you troubleshoot, you can try to restart the server and check whether it works then.

To enable ldap logging, edit /etc/ldap/slapd.conf:

[...]
loglevel    256 # <-- change form 0 to 256  
[...]

 

Separate OpenVPN Log

By default, log messages will go to the syslog. We use "log" to override this by changing/etc/openvpn/server.conf.

Issue the following command to create log files and set the right permissions:

touch /var/log/openvpn.log
chown nobody.nogroup /var/log/openvpn.log

Edit /etc/openvpn/server.conf:

[...]
user nobody
group nogroup
[...]
log    /var/log/openvpn.log

Restart the related services.

/etc/init.d/slapd restart
/etc/init.d/openvpn restart

Monitor the log:

# tail -0f /var/log/openldap.log

Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 ACCEPT from IP=127.0.0.1:42020 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 ACCEPT from IP=127.0.0.1:42021 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 BIND anonymous mech=implicit ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="mail=www@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="mail=www@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 ACCEPT from IP=127.0.0.1:42022 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1
SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 closed

# tail -0f /var/log/openvpn.log

Mon Sep 20 06:01:20 2010 MULTI: multi_create_instance called
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Re-using SSL/TLS context
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 LZO compression initialized
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Local Options hash (VER=V4): '530fdded'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 TLS: Initial packet from [AF_INET]211.99.216.18:50094, sid=216fe588 ae0a6a58
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 TLS: Username/Password authentication succeeded for username 'www@example.com'
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 [] Peer Connection Initiated with [AF_INET]211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: Learn: 10.8.0.10 -> 211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: primary virtual IP for 211.99.216.18:50094: 10.8.0.10
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 SENT CONTROL [UNDEF]: 'PUSH_REPLY,
redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)

 

10 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Sergey (not registered) on Tue, 2011-06-14 12:13.

Correctly:

 SearchFilter    "(&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"