Setting Up An OpenVPN Server With Authentication Against OpenLDAP On Ubuntu 10.04 LTS - Page 2
6 Enable IP Forwarding And Configure iptables
Edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:
net.ipv4.ip_forward = 1 |
Issue the following command to configure iptables to properly forward traffic through the VPN:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit /etc/default/iptables and add the below. Let iptables open port 1194.
#openvpn -A INPUT -p udp -m multiport --dport 1194 -j ACCEPT |
Issue the following commands to set this variable for the current session:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:
#!/bin/sh # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE exit 0 |
7 Restart Related Services
We need to restart all related services to make the configuration work.
/etc/init.d/slapd restart
/etc/init.d/openvpn restart
/etc/init.d/iptables restart
8 Client Settings
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys
Edit the client.ovpn file to modify the following line:
# Add the vpn server
remote mail.example.com 1194
#Comment out the below two line
#cert client.crt
#key client.key
#Add thes line at the botton
auth-user-pass
|
Copy the client.ovpn and ca.crt files to your client system. Also you can use mutt to send the files to your mailbox. You can log into your email account and download the files.
apt-get install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" [email protected] -a /etc/openvpn/easy-rsa/2.0/keys/config.zip < /usr/share/doc/openvpn/README
Installing OpenVPN GUI On Windows XP / Vista
Download the client software here: http://openvpn.net/index.php/openvpn-client.html. After installation, put the client.ovpn and ca.crt files to C:\Program Files\OpenVPN\config.
Now you can use the account [email protected] to connect to the vpn.
9 Troubleshooting
To enable ldap logging, edit /etc/ldap/slapd.conf:
loglevel 256 # <-- change form 0 to 256
|
Separate OpenVPN Log
By default, log messages will go to the syslog. We use "log" to override this by changing/etc/openvpn/server.conf.
Issue the following command to create log files and set the right permissions:
touch /var/log/openvpn.log
chown nobody.nogroup /var/log/openvpn.log
Edit /etc/openvpn/server.conf:
user nobody group nogroup log /var/log/openvpn.log |
Restart the related services.
/etc/init.d/slapd restart
/etc/init.d/openvpn restart
Monitor the log:
# tail -0f /var/log/openldap.log
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 ACCEPT from IP=127.0.0.1:42020 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 ACCEPT from IP=127.0.0.1:42021 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 BIND anonymous mech=implicit ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="[email protected],ou=Users,domainName=example.com,o=domains,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="[email protected],ou=Users,domainName=example.com,o=domains,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 ACCEPT from IP=127.0.0.1:42022 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1
SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 closed
# tail -0f /var/log/openvpn.log
Mon Sep 20 06:01:20 2010 MULTI: multi_create_instance called
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Re-using SSL/TLS context
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 LZO compression initialized
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Local Options hash (VER=V4): '530fdded'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 TLS: Initial packet from [AF_INET]211.99.216.18:50094, sid=216fe588 ae0a6a58
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 TLS: Username/Password authentication succeeded for username '[email protected]'
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 [] Peer Connection Initiated with [AF_INET]211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: Learn: 10.8.0.10 -> 211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: primary virtual IP for 211.99.216.18:50094: 10.8.0.10
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 SENT CONTROL [UNDEF]: 'PUSH_REPLY,
redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
10 Links
- Discussion forum: http://www.iredmail.org/forum/
- OpenVPN-auth-ldap Project home page: http://code.google.com/p/openvpn-auth-ldap/
- iRedMail Project home page: http://code.google.com/p/iredmail/
- Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid): http://library.linode.com/networking/vpn-services/openvpn-ubuntu-10.04-lucid