ovpn-ad-sync/README.md

#ovpn-ad-sync
============

###Description:
Script to synchronize AD/LDAP users with OpenVPN config files and email user certificates and a setup guide to end users.  This script is a very rudimentary hack to fill my purpose.  It may or may not work for you.  It could also be put to use with LDAP with minimal modification even though I wrote it for an Active Directory environment.

###Author:
Josh North 2014-12-01
josh.north@point808.com
Free for use and modification.  Credit is appreciated if you do anything with it but nothing is required.

###Theory:
Basically, the script should be run on a cron schedule.  At run, it searches all users in a specified AD group.  It then checks to see if subdirectories exist for the user, if not, it decides to create them.  It then loops through to look for directories that do not have a corresponding user in the AD list and deletes them.  It technically (at this point) does not revoke access and restart the vpn, this is IMPORTANT, because in my setup we are authenticating against AD anyway as a second layer.  This is not fully secure but like I said, it is a major work in progress.

###Requirements:
* Ubuntu 14+ (will likely work with plenty of other systems, but I wrote it on and for Ubuntu server)
* sendmail (must be configured correctly - I used ssmtp and wrote this script as such)
* sharutils
* easy-rsa
* ldap-utils
* openvpn-auth-ldap

###Setup Assumptions:
The below instructions make the following assumptions.  If you use a different setup you will need to modify accordingly.
1.  We assume your vpn name will be vpn.example.com 
2.  We asssume your LDAP bind root is example.com 
3.  We assume your LDAP user/pass for bind is oas_user/oas_user 
4.  We assume 192.168.5.0/24 is your VPN network range 
5.  We assume you want your rsa key infrastructure to live under the OpenVPN config directory in /etc 
6.  We assume your public IP is 66.66.66.66 - obviously this needs to be changed in the template file in the clients directory. 
7.  We assume your local network is 192.168.1.0/24 and your Active Directory or LDAP servers reside at .21 and .22 in this network. 
8.  We assume that you will set up a group in Active Directory called "OpenVPNUsers" - any users in this group will have files generated and emailed automatically. 
9.  You will see other variables that reference example.com - change these accordingly 

###Setup Instructions:
1.  Install and configure all pre-requisites listed above
2.  sudo git clone https://github.com/joshnorth/ovpn-ad-sync.git /tmp/ovpn-ad-sync
3.  sudo cp -R /usr/share/easy-rsa /etc/openvpn/rsa
4.  sudo cp -R /tmp/ovpn-ad-sync/
5.  Create openvpn server config file
make ldap config file
edit /etc/openvpn/rsa/vars correctly
in rsa dir do source ./vars, build-ca, build-dh, and build-key-server
MAKE SURE you use 2048 not 1024 it will break script and i don;t care becuase it's more secure anyway
copy script file to /usr/local/bin/oas.sh ansd chmod +x
make directory for client files (/etc/openvpn/oas_clients)
copy template file for clients into client directory
edit oas.sh to iproper parameters
copy user guide to client directory
add to cron every 15 minutes or whatever
Update README.md 2014-12-03 14:11:57 -05:00			`#ovpn-ad-sync`
Initial commit 2014-12-03 13:31:16 -05:00			`============`

Update README.md 2014-12-03 14:12:43 -05:00			`###Description:`
Update README.md 2014-12-03 13:46:31 -05:00			`Script to synchronize AD/LDAP users with OpenVPN config files and email user certificates and a setup guide to end users. This script is a very rudimentary hack to fill my purpose. It may or may not work for you. It could also be put to use with LDAP with minimal modification even though I wrote it for an Active Directory environment.`

Update README.md 2014-12-03 14:12:43 -05:00			`###Author:`
Updated readme 2014-12-03 14:07:34 -05:00			`Josh North 2014-12-01`
			`josh.north@point808.com`
			`Free for use and modification. Credit is appreciated if you do anything with it but nothing is required.`

Update README.md 2014-12-03 14:12:43 -05:00			`###Theory:`
Update README.md 2014-12-03 13:46:31 -05:00			Basically, the script should be run on a cron schedule. At run, it searches all users in a specified AD group. It then checks to see if subdirectories exist for the user, if not, it decides to create them. It then loops through to look for directories that do not have a corresponding user in the AD list and deletes them. It technically (at this point) does not revoke access and restart the vpn, this is IMPORTANT, because in my setup we are authenticating against AD anyway as a second layer. This is not fully secure but like I said, it is a major work in progress.

Update README.md 2014-12-03 14:12:43 -05:00			`###Requirements:`
Update README.md 2014-12-03 14:12:57 -05:00			`* Ubuntu 14+ (will likely work with plenty of other systems, but I wrote it on and for Ubuntu server)`
			`* sendmail (must be configured correctly - I used ssmtp and wrote this script as such)`
			`* sharutils`
			`* easy-rsa`
			`* ldap-utils`
			`* openvpn-auth-ldap`
Update README.md 2014-12-03 13:46:31 -05:00
Update README.md 2014-12-03 14:12:43 -05:00			`###Setup Assumptions:`
Update README.md 2014-12-03 13:46:31 -05:00			`The below instructions make the following assumptions. If you use a different setup you will need to modify accordingly.`
Update README.md 2014-12-03 14:17:30 -05:00			`1. We assume your vpn name will be vpn.example.com`
			`2. We asssume your LDAP bind root is example.com`
			`3. We assume your LDAP user/pass for bind is oas_user/oas_user`
			`4. We assume 192.168.5.0/24 is your VPN network range`
			`5. We assume you want your rsa key infrastructure to live under the OpenVPN config directory in /etc`
			`6. We assume your public IP is 66.66.66.66 - obviously this needs to be changed in the template file in the clients directory.`
			`7. We assume your local network is 192.168.1.0/24 and your Active Directory or LDAP servers reside at .21 and .22 in this network.`
			`8. We assume that you will set up a group in Active Directory called "OpenVPNUsers" - any users in this group will have files generated and emailed automatically.`
			`9. You will see other variables that reference example.com - change these accordingly`
Update README.md 2014-12-03 14:11:04 -05:00
Update README.md 2014-12-03 14:12:43 -05:00			`###Setup Instructions:`
Update README.md 2014-12-03 13:46:31 -05:00			`1. Install and configure all pre-requisites listed above`
Update README.md 2014-12-03 13:48:51 -05:00			`2. sudo git clone https://github.com/joshnorth/ovpn-ad-sync.git /tmp/ovpn-ad-sync`
			`3. sudo cp -R /usr/share/easy-rsa /etc/openvpn/rsa`
			`4. sudo cp -R /tmp/ovpn-ad-sync/`
			`5. Create openvpn server config file`
Update README.md 2014-12-03 13:46:31 -05:00			`make ldap config file`
			`edit /etc/openvpn/rsa/vars correctly`
			`in rsa dir do source ./vars, build-ca, build-dh, and build-key-server`
			`MAKE SURE you use 2048 not 1024 it will break script and i don;t care becuase it's more secure anyway`
			`copy script file to /usr/local/bin/oas.sh ansd chmod +x`
			`make directory for client files (/etc/openvpn/oas_clients)`
			`copy template file for clients into client directory`
			`edit oas.sh to iproper parameters`
			`copy user guide to client directory`
			`add to cron every 15 minutes or whatever`