Openvpn and AD users


(Vinny) #1

Hello everyone openvpn now goes, run boot system and now all right, what do I do now and associate nethserver a win2008 AD, in fact, see the server in the AD resources to win2008 but vpn users are authenticated.
My goal is to create a vpn server with nethserver and place to win2008 AD to use existing users on the domain.
Thank you.
P.S. This is an on-line translation


Openvpn not start on 6.6
OPEN VPN support
(Giacomo Sanchietti) #2

Sorry but you can’t use users from AD to authenticate inside the VPN.


(Vinny) #3

You can not, it is difficult to realize?


(Giacomo Sanchietti) #4

It’s not hard, it’s a nightmare :smiley: Every time you have to deal with and AD is hell :smile:


(Artem Fedai) #5

@Vinny74 just install openvpn-auth-ldap.x86_64 from Epel repo

modify files below :

  1. /etc/openvpnhost-to-net.conf

    plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so “/etc/openvpn/auth/ldap.conf”

  2. /etc/openvpn/auth/ldap.conf

    URL ldap://example.local
    BindDN CN=openvpn,CN=Users,DC=example,DC=local
    Password openvpn
    Timeout 15
    TLSEnable no
    BaseDN "DC=example,DC=local"
    SearchFilter “(&(sAMAccountName=%u)(memberOf=CN=VPN users,CN=Users,DC=example,DC=local))”

In AD in Users create user openvpn with password openvpn. Create group of users “VPN users”


Community Digest 7 - December 2015
(Artem Fedai) #6

@giacomo maybe it is a good enhancement for AD lovers :slight_smile:


(Alessio Fattorini) #7

looks interesting!


(Artem Fedai) #8

realy good feature, if you have existed AD domain.


(Giacomo Sanchietti) #9

Great shot!

Just to recap how it works:

  • enable the ldap plugin and configure the conf file
  • create a general “openvpn” user inside the AD
  • add existing users to “VPN users” group to enable openvpn for them

How can we integrate inside the actual implementation?
Would you like to add new fields inside the current UI?

As a side note, please notice that the authentication is passed in clear text to the AD server.


(Davide Principi) #10

Perhaps OpenVPN supports Kerberos/GSSAPI authentication when connects to AD?


(Giacomo Sanchietti) #11

I don’t think so, but it has PAM support.
And no…I don’t want to try try Kerberos AD integration with openldap OpenVPN :stuck_out_tongue:


(Davide Principi) #12

…was OpenVPN!


(Artem Fedai) #13

Just to recap how it works:- enable the ldap plugin and configure the conf file- create a general “openvpn” user inside the AD- add existing users to “VPN users” group to enable openvpn for them

Yep, you are right, but if it is existed AD and users has their own group Admin could specify it.

How can we integrate inside the actual implementation?Would you like to add new fields inside the current UI?

I suppose that fields in UI should be as :
ldap uri
cn=user and password
domain and user group

As a side note, please notice that the authentication is passed in clear text to the AD server.

we can always use ldaps, but if it is internal infrastucture why we should use ldaps :)

(Stefano) #14

nas, please, can you use the right tags in your posts? I’m referring to quoting… it’s quite difficult to read your message…

anyway, an old and wise sysadm told me many years ago “trust nobody”… if one of your client is exploited, having auth info in clear text is not a good thing…


(Alessio Fattorini) #15

I know, but the feature is too cool!! :smile:


(Stefano) #16

if you are aimed to security, this is not an option, never


(Artem Fedai) #17

Use ldaps , if you servers in special vlan why do you need ldaps? and how about firewall on windows and you can allow only trusted ip ?


(Stefano) #18

no, nada, niet, nain… :smile:
security is another matter :wink:


(Artem Fedai) #19
  1. every clever person has it is own managment vlan between servers and switches
  2. in case of yours security you forgot about your users (facebook gmail and so on)
  3. if your users can run sniffers and so on in your system, shame on you !