OpenVPN setup

Daniel Bernhardt

Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License

Revision History
Revision 1.02009-10-12 Daniel Bernhardt
initial manual release

Abstract

Installing and configuring a virtual private network with OpenVPN using certificates and different additional authentication methods like OpenLDAP.


Table of Contents

Foreword

Foreword

This documentation is Gentoo Linux specific. Directory structure and commands used in this documentation may be different in other Linux distributions.

Feel free to email me at if you have any suggestions or corrections.

OpenVPN

Overview

In this manual OpenVPN is configured to let multiple clients connect and authenticate using SSL certificates and user/password authentication. All clients are allowed to communicate with each other and should also be allowed to use other network interfaces on the server.

Installation

Using Gentoo Linux OpenVPN is easily installed with the command emerge openvpn. After compilation and installation the directory /etc/openvpn/ is available which will store our configuration files.

To complete the installation the easy-rsa package is copied to the openvpn configuration directory. This is done with the command cp -r /usr/share/openvpn/easy-rsa /etc/openvpn/. The easy-rsa packages contains some shell scripts which simplify the creation of server and client certificates.

Configuration

The default configuration file should be available under /etc/openvpn/openvpn.conf. The configuration for this manual looks like the following listing.

local a.b.c.d

port 8080
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key # keep secret

dh dh1024.pem
server 10.13.15.0 255.255.254.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd
push "redirect-gateway"

client-to-client
keepalivalive 10 120

comp-lzo
user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log
verb 4

plugin /usr/lib/openvpn/openvpn-auth-pam.so login	
			

Chapter 1. OpenLDAP

configuration

Example 1.1. /etc/openldap/slapd.conf

The password used in this configuration file has been generated with the command slappasswd -h {MD5}.

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap/openldap
moduleload      back_hdb.so

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by self write
        by users read
        by anonymous auth

database        hdb
suffix          "dc=schizzr,dc=de"
checkpoint      32      30
rootdn          "cn=Manager,dc=schizzr,dc=de"
rootpw          {MD5}dslfjshfi8zwuirhljfso=
directory       /var/lib/openldap-data
index   		objectClass     eq
			

LDAP Data Interchange Format

Example 1.2. base ldif file

Apache Directory Studio is used to administer the directory server.


dn: dc=schizzr,dc=de
dc: schizzr
description: geschizzr VPN
objectClass: dcObject
objectClass: organization
o: vpn

# first level
# users
dn: ou=users,dc=schizzr,dc=de
ou: users
description: all gschizzr vpn users
objectClass: organizationalunit

#first level
# groups
dn: ou=groups,dc=schizzr,dc=de
objectClass: organizationalunit
ou: groups
description: vpn groups

# second level
# group data
dn: cn=openvpn,ou=groups,dc=schizzr,dc=de
objectClass: groupofnames
cn: openvpn
description: openvpn usergroup
member: cn=Daniel Bernhardt,ou=users,dc=schizzr,dc=de

dn: cn=ftp,ou=groups,dc=schizzr,dc=de
objectClass: groupofnames
cn: ftp
description: ftp usergroup
member: cn=Kai Kraehahn,ou=users,dc=schizzr,dc=de
member: cn=Daniel Bernhardt,ou=users,dc=schizzr,dc=de

# second level
# user data
dn: cn=Daniel Bernhardt,ou=users,dc=schizzr,dc=de
objectClass: inetOrgPerson
cn: Daniel Bernhardt
uid: daniel
userpassword: foobar
mail: daniel@dbernhardt.com
sn: Bernhardt
ou:users

dn: cn=Kai Kraehahn,ou=users,dc=schizzr,dc=de
objectClass: inetOrgPerson
cn: Kai Kraehahn
uid: kai
userpassword: foobar1
mail: Kai Kraehahn
sn: Kraehahn
ou:users
			

Chapter 2. OpenVPN

Installing OpenVPN is not covered in this documentation. For now just make sure you have TUN/TAP support in your kernel and install OpenVPN with emerge -av openvpn. If you have trouble installing OpenVPN try google or use the Gentoo Wiki.

OpenVPN configuration

Create and edit the OpenVPN configuration file /etc/openvpn/openvpn.conf. If you need an explanation of all the configuration parameters please refer to the Online Documentation of the OpenVPN project.

Example 2.1. openvpn.conf file

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.12.14.0 255.255.254.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
max-clients 200
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

Certificates

All tools necessary to create certificates are located in the folder /usr/share/openvpn/easy-rsa/. To have everything at one place copy this directory to /etc/openvpn/ with the command cp -r /usr/share/openvpn/easy-rsa /etc/openvpn. After that cd to /etc/openvpn/easy-rsa.

Creating a server certificate

Edit the file /etc/openvpn/easy-rsa/vars and change the default values country, province, city, organization and email. Make sure you current working path is /etc/openvpn/easy-rsa. To build the CA certificate follow the next steps.

. ./vars
./clean-all
./build-ca
			

Now you can build the server certificate. It is important that the parameter you give to the next script is also used as the Common Name.

./build-key-server server
			

adding LDAP support

LDAP support can be achieved by using an OpenVPN plugin called openvpn-auth-ldap. It is available for download at http://code.google.com/p/openvpn-auth-ldap/. To build this plugin you need gcc with Objective C support. You may need to re-emerge gcc with the objc useflag. Otherwise compilation will fail!

Now compile the sources.

Chapter 3. vsftpd

vsftpd is a very secure ftp daemon. We need vsftpd to support virtual users that are coming from the LDAP server. All virtual users are mapped to a real user account.

configuration

The configuration file is located at /etc/vsftpd/vsftpd.conf.

Example 3.1. vsftp.conf file

# Standalone mode
listen=YES
max_clients=50
max_per_ip=4
listen_address=10.12.14.1

# Access rights
anonymous_enable=NO
local_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
guest_enable=YES
guest_username=vftp

# Security
chroot_local_user=YES
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000

# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES

# Performance
#one_process_model=YES
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=50000

# PAM
pam_service_name=vsftpd
			

ldap authentication

As stated in the configuration file above "vsftpd" will be used as the pam service name. For each login the file /etc/pam.d/vsftpd will be used to authenticate the client. Create this file and modify it as shown below. Please note: Only LDAP authentication will be allowed. The "config=" parameter specifies a seperate pam_ldap config file. This is needed to allow per service configuration.

Example 3.2. /etc/pam.d/vsftpd

auth     required pam_ldap.so config=/etc/vsftpd/pam_ldap.conf
account  required pam_ldap.so
session  required pam_ldap.so
			

Create the file /etc/vsftpd/pam_ldap.conf to tell pam_ldap how to connect to the ldap server. "pam_groupdn" and "pam_member_attribute" are used for group authentication.

Example 3.3. /etc/vsftpd/pam_ldap.conf

base dc=schizzr,dc=de
host 10.12.14.1
binddn cn=Manager,dc=schizzr,dc=de
bindpw **your manager password**
ldap_version 3
pam_login_attribute uid
pam_groupdn cn=ftp,ou=groups,dc=schizzr,dc=de
pam_member_attribute member