From 29ff86a7abe219ccea22527e6c252584a1dc00ad Mon Sep 17 00:00:00 2001 From: Josh North Date: Wed, 3 Dec 2014 14:05:36 -0500 Subject: [PATCH] Modified server config sample directories and readme updated with assumptions and install instructions --- README.md | 13 +- oas_clients/template.ovpn | 3 +- oas_configs/suppliesunlimited.com.ldap | 61 ------- oas_configs/suppliesunlimited.com.log | 165 ------------------ oas_configs/suppliesunlimited.com.status | 8 - ...nlimited.com.conf => vpn.example.com.conf} | 14 +- oas_configs/vpn.example.com.ldap | 26 +++ oas_configs/vpn.example.com.log | 0 oas_configs/vpn.example.com.status | 0 9 files changed, 47 insertions(+), 243 deletions(-) delete mode 100644 oas_configs/suppliesunlimited.com.ldap delete mode 100644 oas_configs/suppliesunlimited.com.log delete mode 100644 oas_configs/suppliesunlimited.com.status rename oas_configs/{suppliesunlimited.com.conf => vpn.example.com.conf} (55%) create mode 100644 oas_configs/vpn.example.com.ldap create mode 100644 oas_configs/vpn.example.com.log create mode 100644 oas_configs/vpn.example.com.status diff --git a/README.md b/README.md index 3ea8123..a2d5f05 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,19 @@ easy-rsa ldap-utils openvpn-auth-ldap -Setup: +Setup Assumptions: The below instructions make the following assumptions. If you use a different setup you will need to modify accordingly. +1. We assume your vpn name will be vpn.example.com +2. We asssume your LDAP bind root is example.com +3. We assume your LDAP user/pass for bind is oas_user/oas_user +4. We assume 192.168.5.0/24 is your VPN network range +5. We assume you want your rsa key infrastructure to live under the OpenVPN config directory in /etc +6. We assume your public IP is 66.66.66.66 - obviously this needs to be changed in the template file in the clients directory. +7. We assume your local network is 192.168.1.0/24 and your Active Directory or LDAP servers reside at .21 and .22 in this network. +8. We assume that you will set up a group in Active Directory called "OpenVPNUsers" - any users in this group will have files generated and emailed automatically. +9. You will see other variables that reference example.com - change these accordingly + +Setup Instructions: 1. Install and configure all pre-requisites listed above 2. sudo git clone https://github.com/joshnorth/ovpn-ad-sync.git /tmp/ovpn-ad-sync 3. sudo cp -R /usr/share/easy-rsa /etc/openvpn/rsa diff --git a/oas_clients/template.ovpn b/oas_clients/template.ovpn index 58f340a..b1a5bce 100644 --- a/oas_clients/template.ovpn +++ b/oas_clients/template.ovpn @@ -2,7 +2,8 @@ client auth-user-pass proto udp dev tun -remote 66.0.119.86 1194 +# CHANGE THIS TO MATCH YOUR SETUP PUBLIC IP ADDRESS +remote 66.66.66.66 1194 cipher AES-256-CBC user nobody group nogroup diff --git a/oas_configs/suppliesunlimited.com.ldap b/oas_configs/suppliesunlimited.com.ldap deleted file mode 100644 index ea42d6c..0000000 --- a/oas_configs/suppliesunlimited.com.ldap +++ /dev/null @@ -1,61 +0,0 @@ - -# LDAP server URL -URL ldap://192.168.1.22:389 - -# Bind DN (If your LDAP server doesn't support anonymous binds) -#BindDN uid=Administrator,ou=Users,dc=Ma**,dc=li**.local -BindDN SYS_OpenVPN@SUPPLIES.LOCAL - -# Bind Password -Password whatthefreak! - -# Network timeout (in seconds) -Timeout 15 - -# Enable Start TLS -TLSEnable no - -# Follow LDAP Referrals (anonymously) -FollowReferrals yes - -# TLS CA Certificate File -# TLSCACertFile /usr/local/etc/ssl/ca.pem - -# TLS CA Certificate Directory -#TLSCACertDir /etc/ssl/certs - -# Client Certificate and key -# If TLS client authentication is required -# TLSCertFile /usr/local/etc/ssl/client-cert.pem -# TLSKeyFile /usr/local/etc/ssl/client-key.pem - -# Cipher Suite -# The defaults are usually fine here -# TLSCipherSuite ALL:!ADH:@STRENGTH - - - - -# Base DN -#BaseDN "CN=Users,DC=test,DC=com" -BaseDN "CN=Users,DC=supplies,DC=local" - -# User Search Filter -#SearchFilter "(&(uid=%u)(accountStatus=active))" -#SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))" -SearchFilter "(&(sAMAccountName=%u))" - -# Require Group Membership -RequireGroup true - -# Add non-group members to a PF table (disabled) -#PFTable ips_vpn_users - - -BaseDN "cn=Users,dc=supplies,dc=local" -SearchFilter "(cn=OpenVPNUsers)" -MemberAttribute "member" -# Add group members to a PF table (disabled) -#PFTable ips_vpn_eng - - diff --git a/oas_configs/suppliesunlimited.com.log b/oas_configs/suppliesunlimited.com.log deleted file mode 100644 index feb92e6..0000000 --- a/oas_configs/suppliesunlimited.com.log +++ /dev/null @@ -1,165 +0,0 @@ -Tue Dec 2 20:08:14 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 -Tue Dec 2 20:08:14 2014 TUN/TAP device tun1 opened -Tue Dec 2 20:08:14 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 -Tue Dec 2 20:08:14 2014 /sbin/ip link set dev tun1 up mtu 1500 -Tue Dec 2 20:08:14 2014 /sbin/ip addr add dev tun1 local 192.168.5.1 peer 192.168.5.2 -Tue Dec 2 20:08:14 2014 GID set to nogroup -Tue Dec 2 20:08:14 2014 UID set to nobody -Tue Dec 2 20:08:14 2014 UDPv4 link local (bound): [undef] -Tue Dec 2 20:08:14 2014 UDPv4 link remote: [undef] -Tue Dec 2 20:08:14 2014 Initialization Sequence Completed -Tue Dec 2 20:18:34 2014 event_wait : Interrupted system call (code=4) -RTNETLINK answers: Operation not permitted -Tue Dec 2 20:18:34 2014 ERROR: Linux route delete command failed: external program exited with error status: 2 -Tue Dec 2 20:18:34 2014 Closing TUN/TAP interface -Tue Dec 2 20:18:34 2014 /sbin/ip addr del dev tun1 local 192.168.5.1 peer 192.168.5.2 -RTNETLINK answers: Operation not permitted -Tue Dec 2 20:18:34 2014 Linux ip addr del failed: external program exited with error status: 2 -Tue Dec 2 20:18:34 2014 SIGTERM[hard,] received, process exiting -Tue Dec 2 20:20:25 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 -Tue Dec 2 20:20:25 2014 TUN/TAP device tun1 opened -Tue Dec 2 20:20:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 -Tue Dec 2 20:20:25 2014 /sbin/ip link set dev tun1 up mtu 1500 -Tue Dec 2 20:20:25 2014 /sbin/ip addr add dev tun1 local 192.168.5.1 peer 192.168.5.2 -Tue Dec 2 20:20:25 2014 GID set to nogroup -Tue Dec 2 20:20:25 2014 UID set to nobody -Tue Dec 2 20:20:25 2014 UDPv4 link local (bound): [undef] -Tue Dec 2 20:20:25 2014 UDPv4 link remote: [undef] -Tue Dec 2 20:20:25 2014 Initialization Sequence Completed -Tue Dec 2 20:47:56 2014 event_wait : Interrupted system call (code=4) -RTNETLINK answers: Operation not permitted -Tue Dec 2 20:47:56 2014 ERROR: Linux route delete command failed: external program exited with error status: 2 -Tue Dec 2 20:47:56 2014 Closing TUN/TAP interface -Tue Dec 2 20:47:56 2014 /sbin/ip addr del dev tun1 local 192.168.5.1 peer 192.168.5.2 -RTNETLINK answers: Operation not permitted -Tue Dec 2 20:47:56 2014 Linux ip addr del failed: external program exited with error status: 2 -Tue Dec 2 20:47:56 2014 SIGTERM[hard,] received, process exiting -Tue Dec 2 20:47:56 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 -Tue Dec 2 20:47:56 2014 TUN/TAP device tun1 opened -Tue Dec 2 20:47:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 -Tue Dec 2 20:47:56 2014 /sbin/ip link set dev tun1 up mtu 1500 -Tue Dec 2 20:47:56 2014 /sbin/ip addr add dev tun1 local 192.168.5.1 peer 192.168.5.2 -Tue Dec 2 20:47:56 2014 GID set to nogroup -Tue Dec 2 20:47:56 2014 UID set to nobody -Tue Dec 2 20:47:56 2014 UDPv4 link local (bound): [undef] -Tue Dec 2 20:47:56 2014 UDPv4 link remote: [undef] -Tue Dec 2 20:47:56 2014 Initialization Sequence Completed -Tue Dec 2 20:48:57 2014 event_wait : Interrupted system call (code=4) -RTNETLINK answers: Operation not permitted -Tue Dec 2 20:48:57 2014 ERROR: Linux route delete command failed: external program exited with error status: 2 -Tue Dec 2 20:48:57 2014 Closing TUN/TAP interface -Tue Dec 2 20:48:57 2014 /sbin/ip addr del dev tun1 local 192.168.5.1 peer 192.168.5.2 -RTNETLINK answers: Operation not permitted -Tue Dec 2 20:48:57 2014 Linux ip addr del failed: external program exited with error status: 2 -Tue Dec 2 20:48:57 2014 SIGTERM[hard,] received, process exiting -Tue Dec 2 20:48:57 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 -Tue Dec 2 20:48:57 2014 TUN/TAP device tun1 opened -Tue Dec 2 20:48:57 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 -Tue Dec 2 20:48:57 2014 /sbin/ip link set dev tun1 up mtu 1500 -Tue Dec 2 20:48:57 2014 /sbin/ip addr add dev tun1 local 192.168.5.1 peer 192.168.5.2 -Tue Dec 2 20:48:57 2014 GID set to nogroup -Tue Dec 2 20:48:57 2014 UID set to nobody -Tue Dec 2 20:48:57 2014 UDPv4 link local (bound): [undef] -Tue Dec 2 20:48:57 2014 UDPv4 link remote: [undef] -Tue Dec 2 20:48:57 2014 Initialization Sequence Completed -Tue Dec 2 20:49:17 2014 172.56.32.233:53131 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Tue Dec 2 20:49:17 2014 172.56.32.233:53131 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jdoe, name=John Doe, emailAddress=josh.north@point808.com -LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece) -Incorrect password supplied for LDAP DN "CN=John Doe,CN=Users,DC=supplies,DC=local". -Tue Dec 2 20:49:20 2014 172.56.32.233:53131 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so -Tue Dec 2 20:49:20 2014 172.56.32.233:53131 TLS Auth Error: Auth Username/Password verification failed for peer -Tue Dec 2 20:49:20 2014 172.56.32.233:53131 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Tue Dec 2 20:49:20 2014 172.56.32.233:53131 [jdoe] Peer Connection Initiated with [AF_INET]172.56.32.233:53131 -Tue Dec 2 20:49:55 2014 172.56.32.233:53873 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Tue Dec 2 20:49:55 2014 172.56.32.233:53873 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jdoe, name=John Doe, emailAddress=josh.north@point808.com -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 TLS: Username/Password authentication succeeded for username 'jdoe' -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Tue Dec 2 20:49:56 2014 172.56.32.233:53873 [jdoe] Peer Connection Initiated with [AF_INET]172.56.32.233:53873 -Tue Dec 2 20:49:56 2014 jdoe/172.56.32.233:53873 MULTI_sva: pool returned IPv4=192.168.5.6, IPv6=(Not enabled) -Tue Dec 2 20:49:57 2014 jdoe/172.56.32.233:53873 send_push_reply(): safe_cap=940 -Tue Dec 2 20:49:59 2014 172.56.32.233:61395 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) -Tue Dec 2 20:49:59 2014 172.56.32.233:61395 TLS Error: TLS handshake failed -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jdoe, name=John Doe, emailAddress=josh.north@point808.com -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 TLS: Username/Password authentication succeeded for username 'jdoe' -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Wed Dec 3 10:22:14 2014 216.203.6.11:4952 [jdoe] Peer Connection Initiated with [AF_INET]216.203.6.11:4952 -Wed Dec 3 10:22:14 2014 jdoe/216.203.6.11:4952 MULTI_sva: pool returned IPv4=192.168.5.6, IPv6=(Not enabled) -Wed Dec 3 10:22:17 2014 jdoe/216.203.6.11:4952 send_push_reply(): safe_cap=940 -Wed Dec 3 10:26:26 2014 jdoe/216.203.6.11:4952 [jdoe] Inactivity timeout (--ping-restart), restarting -Wed Dec 3 11:23:15 2014 event_wait : Interrupted system call (code=4) -RTNETLINK answers: Operation not permitted -Wed Dec 3 11:23:15 2014 ERROR: Linux route delete command failed: external program exited with error status: 2 -Wed Dec 3 11:23:15 2014 Closing TUN/TAP interface -Wed Dec 3 11:23:15 2014 /sbin/ip addr del dev tun1 local 192.168.5.1 peer 192.168.5.2 -RTNETLINK answers: Operation not permitted -Wed Dec 3 11:23:15 2014 Linux ip addr del failed: external program exited with error status: 2 -Wed Dec 3 11:23:16 2014 SIGTERM[hard,] received, process exiting -Wed Dec 3 11:25:03 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 -Wed Dec 3 11:25:04 2014 TUN/TAP device tun1 opened -Wed Dec 3 11:25:04 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 -Wed Dec 3 11:25:04 2014 /sbin/ip link set dev tun1 up mtu 1500 -Wed Dec 3 11:25:04 2014 /sbin/ip addr add dev tun1 local 192.168.5.1 peer 192.168.5.2 -Wed Dec 3 11:25:04 2014 GID set to nogroup -Wed Dec 3 11:25:04 2014 UID set to nobody -Wed Dec 3 11:25:04 2014 UDPv4 link local (bound): [undef] -Wed Dec 3 11:25:04 2014 UDPv4 link remote: [undef] -Wed Dec 3 11:25:04 2014 Initialization Sequence Completed -Wed Dec 3 11:35:41 2014 66.45.77.53:46347 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Wed Dec 3 11:35:41 2014 66.45.77.53:46347 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jnorth, name=Josh North, emailAddress=josh.north@point808.com -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 TLS: Username/Password authentication succeeded for username 'jnorth' -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Wed Dec 3 11:35:45 2014 66.45.77.53:46347 [jnorth] Peer Connection Initiated with [AF_INET]66.45.77.53:46347 -Wed Dec 3 11:35:45 2014 jnorth/66.45.77.53:46347 MULTI_sva: pool returned IPv4=192.168.5.6, IPv6=(Not enabled) -Wed Dec 3 11:35:48 2014 jnorth/66.45.77.53:46347 send_push_reply(): safe_cap=940 -Wed Dec 3 11:50:35 2014 jnorth/66.45.77.53:46347 [jnorth] Inactivity timeout (--ping-restart), restarting -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jdoe, name=John Doe, emailAddress=josh.north@point808.com -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 TLS: Username/Password authentication succeeded for username 'jdoe' -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Wed Dec 3 12:04:08 2014 24.131.37.103:55576 [jdoe] Peer Connection Initiated with [AF_INET]24.131.37.103:55576 -Wed Dec 3 12:04:08 2014 jdoe/24.131.37.103:55576 MULTI_sva: pool returned IPv4=192.168.5.10, IPv6=(Not enabled) -Wed Dec 3 12:04:10 2014 jdoe/24.131.37.103:55576 send_push_reply(): safe_cap=940 -Wed Dec 3 12:08:35 2014 jdoe/24.131.37.103:55576 [jdoe] Inactivity timeout (--ping-restart), restarting -Wed Dec 3 13:10:28 2014 66.0.119.82:34633 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) -Wed Dec 3 13:10:28 2014 66.0.119.82:34633 TLS Error: TLS handshake failed -Wed Dec 3 13:12:45 2014 66.0.119.82:39871 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) -Wed Dec 3 13:12:45 2014 66.0.119.82:39871 TLS Error: TLS handshake failed -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jnorth, name=Josh North, emailAddress=josh.north@point808.com -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 TLS: Username/Password authentication succeeded for username 'jnorth' -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 13:17:35 2014 172.56.33.123:17437 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 13:17:36 2014 172.56.33.123:17437 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Wed Dec 3 13:17:36 2014 172.56.33.123:17437 [jnorth] Peer Connection Initiated with [AF_INET]172.56.33.123:17437 -Wed Dec 3 13:17:36 2014 jnorth/172.56.33.123:17437 MULTI_sva: pool returned IPv4=192.168.5.6, IPv6=(Not enabled) -Wed Dec 3 13:17:37 2014 jnorth/172.56.33.123:17437 send_push_reply(): safe_cap=940 -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 VERIFY OK: depth=1, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=Supplies Unlimited, Inc. CA, name=Supplies Unlimited, Inc., emailAddress=admin@suppliesunlimited.com -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 VERIFY OK: depth=0, C=US, ST=Georgia, L=Scottdale, O=Supplies Unlimited, Inc., OU=Security, CN=jnorth, name=Josh North, emailAddress=josh.north@point808.com -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 TLS: Username/Password authentication succeeded for username 'jnorth' -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key -Wed Dec 3 13:18:16 2014 172.56.33.123:58279 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication -Wed Dec 3 13:18:17 2014 172.56.33.123:58279 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA -Wed Dec 3 13:18:17 2014 172.56.33.123:58279 [jnorth] Peer Connection Initiated with [AF_INET]172.56.33.123:58279 -Wed Dec 3 13:18:17 2014 jnorth/172.56.33.123:58279 MULTI_sva: pool returned IPv4=192.168.5.6, IPv6=(Not enabled) -Wed Dec 3 13:18:18 2014 jnorth/172.56.33.123:58279 send_push_reply(): safe_cap=940 diff --git a/oas_configs/suppliesunlimited.com.status b/oas_configs/suppliesunlimited.com.status deleted file mode 100644 index abb2ece..0000000 --- a/oas_configs/suppliesunlimited.com.status +++ /dev/null @@ -1,8 +0,0 @@ -OpenVPN CLIENT LIST -Updated,Wed Dec 3 13:52:24 2014 -Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since -ROUTING TABLE -Virtual Address,Common Name,Real Address,Last Ref -GLOBAL STATS -Max bcast/mcast queue length,0 -END diff --git a/oas_configs/suppliesunlimited.com.conf b/oas_configs/vpn.example.com.conf similarity index 55% rename from oas_configs/suppliesunlimited.com.conf rename to oas_configs/vpn.example.com.conf index 48dd463..1d21140 100644 --- a/oas_configs/suppliesunlimited.com.conf +++ b/oas_configs/vpn.example.com.conf @@ -1,16 +1,16 @@ port 1194 proto udp -dev tun1 +dev tun0 ca /etc/openvpn/rsa/keys/ca.crt -cert /etc/openvpn/rsa/keys/suppliesunlimited.com.crt -key /etc/openvpn/rsa/keys/suppliesunlimited.com.key +cert /etc/openvpn/rsa/keys/vpn.example.com.crt +key /etc/openvpn/rsa/keys/vpn.example.com.key dh /etc/openvpn/rsa/keys/dh2048.pem server 192.168.5.0 255.255.255.0 cipher AES-256-CBC user nobody group nogroup -status /etc/openvpn/suppliesunlimited.com.status -log-append /etc/openvpn/suppliesunlimited.com.log +status /etc/openvpn/vpn.example.com.status +log-append /etc/openvpn/vpn.example.com.log verb 2 mute 20 max-clients 100 @@ -21,10 +21,10 @@ comp-lzo persist-key persist-tun float -plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/suppliesunlimited.com.ldap" +plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/vpn.example.com.ldap" push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.21" push "dhcp-option DNS 192.168.1.22" -push "dhcp-option DOMAIN supplies.local" +push "dhcp-option DOMAIN example.com" replay-window 128 40 diff --git a/oas_configs/vpn.example.com.ldap b/oas_configs/vpn.example.com.ldap new file mode 100644 index 0000000..db5ea93 --- /dev/null +++ b/oas_configs/vpn.example.com.ldap @@ -0,0 +1,26 @@ + +# CHANGE THIS!!! to your AD server +URL ldap://192.168.1.22:389 +# CHANGE THIS IF YOU USE A DIFFERENT SYSTEM BIND USER +BindDN oas_user@EXAMPLE.COM +# Bind Password +Password oas_user + +# these settings should be ok +Timeout 15 +TLSEnable no +FollowReferrals yes + + +# CHANGE THIS TO MATCH YOUR DOMAIN +BaseDN "CN=Users,DC=example,DC=com" +SearchFilter "(&(sAMAccountName=%u))" +RequireGroup true + +# CHANGE THIS TO MATCH YOUR USER DN +BaseDN "cn=Users,dc=example,dc=com" +# CHANGE THIS TO MATCH YOUR OPENVPN USER GROUP +SearchFilter "(cn=OpenVPNUsers)" +MemberAttribute "member" + + diff --git a/oas_configs/vpn.example.com.log b/oas_configs/vpn.example.com.log new file mode 100644 index 0000000..e69de29 diff --git a/oas_configs/vpn.example.com.status b/oas_configs/vpn.example.com.status new file mode 100644 index 0000000..e69de29