{"id":5454,"date":"2020-04-18T17:37:50","date_gmt":"2020-04-18T14:37:50","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5454"},"modified":"2024-05-05T08:39:32","modified_gmt":"2024-05-05T05:39:32","slug":"configure-openvpn-ldap-based-authentication","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-openvpn-ldap-based-authentication\/","title":{"rendered":"Configure OpenVPN LDAP Based Authentication"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1028\" height=\"565\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/04\/openvpn-ldap-auth.png\" alt=\"\" class=\"wp-image-22437\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/04\/openvpn-ldap-auth.png?v=1714887528 1028w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/04\/openvpn-ldap-auth-768x422.png?v=1714887528 768w\" sizes=\"(max-width: 1028px) 100vw, 1028px\" \/><\/figure>\n\n\n\n<p>In this guide, we are going to learn how to configure <a href=\"https:\/\/openvpn.net\/access-server-manual\/authentication-ldap\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenVPN LDAP Based Authentication<\/a>. Identification and authentication of users is usually the first step in implementing access control. OpenVPN server supports multiple\u00a0authentication\u00a0protocols\u00a0and thus can be configured to obtain connecting client information from an LDAP server, and to use that information as a basis for authenticating the client in addition to the use of the Client certificates and keys.<\/p>\n\n\n\n<p>Also, with OpenLDAP authentication, the issue of having to generate individual OpenVPN client certificates for every client connecting can be eliminated.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-open-vpn-authentication-via-ldap\">Configuring OpenVPN Authentication via LDAP<\/a><ul><li><a href=\"#install-and-configure-open-ldap-server\">Install and Configure OpenLDAP Server<\/a><\/li><li><a href=\"#install-open-vpn-plugin-for-ldap-authentication\">Install OpenVPN plugin for LDAP authentication<\/a><\/li><li><a href=\"#configure-open-vpn-server-for-ldap-based-authentication\">Configure OpenVPN server for LDAP Based Authentication<\/a><\/li><li><a href=\"#enable-client-username-password-authentication\">Enable Client Username\/Password Authentication<\/a><\/li><li><a href=\"#verify-open-vpn-client-ldap-authentication\">Verify OpenVPN Client LDAP Authentication<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-open-vpn-authentication-via-ldap\">Configuring OpenVPN Authentication via LDAP<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-configure-open-ldap-server\">Install and Configure OpenLDAP Server<\/h3>\n\n\n\n<p>Learn how to install and setup OpenLDAP server by following the link below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=install+and+setup+OpenLDAP+server\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup OpenLDAP Server on Linux<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-vpn-plugin-for-ldap-authentication\">Install OpenVPN plugin for LDAP authentication<\/h3>\n\n\n\n<p>To configure OpenVPN authentication via LDAP, you need to install OpenVPN plugin for LDAP authentication. The plugin is called <code>openvpn-auth-ldap<\/code> and it implements username\/password authentication via LDAP for OpenVPN.<\/p>\n\n\n\n<p>On CentOS 7, you need EPEL repos to install the plugin;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>yum install epel-release<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>yum install openvpn-auth-ldap<\/code><\/pre>\n\n\n\n<p>On Ubuntu systems;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install openvpn-auth-ldap<\/code><\/pre>\n\n\n\n<p>On CentOS 8, unfortunately, the EPEL repos don&#8217;t provide this package as of this writing.<\/p>\n\n\n\n<p>In this demo, we are running an OpenVPN server on CentOS 7 system.<\/p>\n\n\n\n<p>After the installation of the <code><strong>openvpn-auth-ldap<\/strong><\/code> package, you should now be having the required modules under the <code>\/usr\/lib64\/openvpn<\/code> directory.<\/p>\n\n\n\n<p>The modules can also be found under, <code><strong>\/usr\/lib\/openvpn<\/strong><\/code>, directory.<\/p>\n\n\n\n<p>The package also installs OpenVPN LDAP authentication configuration file, <code><strong>\/etc\/openvpn\/auth\/ldap.conf<\/strong><\/code>.<\/p>\n\n\n\n<p>On Ubuntu systems, you will find the sample OpenVPN LDAP auth configuration under;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/share\/doc\/openvpn-auth-ldap\/examples\/auth-ldap.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-vpn-server-for-ldap-based-authentication\">Configure OpenVPN server for LDAP Based Authentication<\/h3>\n\n\n\n<p>Once you have the necessary plugins in place, the next thing would be to configure OpenVPN server for LDAP based authentication.<\/p>\n\n\n\n<p>Open the OpenVPN LDAP based authentication configuration file and define your OpenLDAP server specifics;<\/p>\n\n\n\n<p>Create a backup of the configuration.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/openvpn\/auth\/ldap.{conf,.old}<\/code><\/pre>\n\n\n\n<p>If the directory\/file doesn&#8217;t exist, simply create one;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/etc\/openvpn\/auth<\/code><\/pre>\n\n\n\n<p>Once that is done, copy the sample configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/usr\/share\/doc\/openvpn-auth-ldap\/examples\/auth-ldap.conf \/etc\/openvpn\/auth\/ldap.conf<\/code><\/pre>\n\n\n\n<p>Next, open the configuration file for editing.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/openvpn\/auth\/ldap.conf<\/code><\/pre>\n\n\n\n<p>Below is our sample configuration (with no commented lines) as per our OpenLDAP server setup. Make your appropriate configurations;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code><LDAP>\n\tURL\t\tldap:\/\/ldapmaster.kifarunix-demo.com\n\tBindDN\t\tcn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\tPassword\tP@ssW0rd\n\tTimeout\t\t15\n\tTLSEnable\tno\n\tFollowReferrals no\n<\/LDAP>\n<Authorization>\n\tBaseDN\t\t\"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\tSearchFilter\t\"(uid=%u)\"\n\tRequireGroup\tfalse\n<\/Authorization>\n<\/code><\/pre>\n\n\n\n<p>In regards to group authentication, if you want to enforce a more fine grained OpenVPN access control such that only specific users authenticating via OpenLDAP can connect to OpenVPN server, you can utilize OpenLDAP group membership.<\/p>\n\n\n\n<p>For example, in our OpenLDAP server, we have a VPN only group which contains only users that are allowed to connect to OpenVPN server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -Y ExTERNAL -H ldapi:\/\/\/ -b ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q \"(cn=vpnonly)\"<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: vpnonly\nmember: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/code><\/pre>\n\n\n\n<p>See how to create OpenLDAP group membership by following the guide below;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-create-openldap-member-groups\/\" target=\"_blank\">How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n<p>Therefore, to enable group membership authentication, set the value of the <strong><code>RequireGroup<\/code><\/strong> option to true and edit the group section such that you configuration may look like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code><LDAP>\n\tURL\t\tldap:\/\/ldapmaster.kifarunix-demo.com\n\tBindDN\t\tcn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\tPassword\tP@ssW0rd\n\tTimeout\t\t15\n\tTLSEnable\tno\n\tFollowReferrals no\n<\/LDAP>\n<Authorization>\n\tBaseDN\t\t\"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\tSearchFilter\t\"(uid=%u)\"\n\tRequireGroup\ttrue\n\t<Group>\n\t\tBaseDN\t\t\"ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\t\tSearchFilter\t\"memberOf=cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\t\tMemberAttribute\tuniqueMember\n\t<\/Group>\n<\/Authorization>\n<\/code><\/pre>\n\n\n\n<p>In this case, only user <strong>koromicha<\/strong> and <strong>johndoe<\/strong> can connect to OpenVPN server.<\/p>\n\n\n\n<p>Save and exit the configuration after making your appropriate changes.<\/p>\n\n\n\n<p>Next, configure OpenVPN server to use OpenLDAP for authentication by adding the line below to the OpenVPN server configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>plugin \/usr\/lib64\/openvpn\/plugin\/lib\/openvpn-auth-ldap.so \/etc\/openvpn\/auth\/ldap.conf<\/code><\/pre>\n\n\n\n<p>You can simply add this line to the OpenVPN server configuration file as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"plugin \/usr\/lib64\/openvpn\/plugin\/lib\/openvpn-auth-ldap.so \/etc\/openvpn\/auth\/ldap.conf\" &gt;&gt; \/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n\n\n\n<p><strong>Be sure to set the correct path to the module.<\/strong> For example, on Ubuntu 18.04\/20.04, the path is <code><strong>\/usr\/lib\/openvpn\/openvpn-auth-ldap.so<\/strong><\/code>.<\/p>\n\n\n\n<p>Hence, the line would look like;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>plugin <strong>\/usr\/lib\/openvpn\/openvpn-auth-ldap.so<\/strong> \/etc\/openvpn\/auth\/ldap.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-client-username-password-authentication\">Enable Client Username\/Password Authentication<\/h3>\n\n\n\n<p>Next, edit the client configuration file to include the <strong>auth-user-pass<\/strong>&nbsp;directive to enable username\/password authentication method.<\/p>\n\n\n\n<p>For example, this is a our sample Client configuration file based on our OpenVPN server setup.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>client\ntls-client\npull\ndev tun\nproto udp\nremote 192.168.2.132 1194\nresolv-retry infinite\nnobind\n#user nobody\n#group nogroup\npersist-key\npersist-tun\nkey-direction 1\nremote-cert-tls server\ncomp-lzo\nverb 3\nauth-nocache\ndhcp-option DNS 8.8.8.8\ndhcp-option DNS 10.8.0.1\nauth SHA512\nauth-user-pass\ntls-auth \/home\/johndoe\/ta-key\nca \/home\/johndoe\/ca.crt\ncert \/home\/johndoe\/johndoe.crt\nkey \/home\/johndoe\/johndoe.key\n<\/code><\/pre>\n\n\n\n<p>Restart OpenVPN Server service;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart openvpn-server@server<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-open-vpn-client-ldap-authentication\">Verify OpenVPN Client LDAP Authentication<\/h3>\n\n\n\n<p>Our configuration is now done. To verify that all is well, initiate OpenVPN connection on the client;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo openvpn johndoe.ovpn<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Sat Apr 18 08:50:11 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Nov 1 2019\nSat Apr 18 08:50:11 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08\nEnter Auth Username: johndoe\nEnter Auth Password: *************\n...\nSat Apr 18 08:50:26 2020 \/sbin\/ip addr add dev tun0 10.8.0.60\/24 broadcast 10.8.0.255\nSat Apr 18 08:50:26 2020 \/sbin\/ip route add 192.168.2.132\/32 via 10.0.2.2\nSat Apr 18 08:50:26 2020 \/sbin\/ip route add 0.0.0.0\/1 via 10.8.0.1\nSat Apr 18 08:50:26 2020 \/sbin\/ip route add 128.0.0.0\/1 via 10.8.0.1\nSat Apr 18 08:50:26 2020 Initialization Sequence Completed\n<\/code><\/pre>\n\n\n\n<p>If the authentication fails;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nSat Apr 18 08:53:36 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)\nSat Apr 18 08:53:36 2020 AUTH: Received control message: AUTH_FAILED\nSat Apr 18 08:53:36 2020 SIGTERM[soft,auth-failure] received, process exiting\n<\/code><\/pre>\n\n\n\n<p>On the OpenVPN Server, you will see such a line on the logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/openvpn\/openvpn.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n192.168.56.1:53489 [johndoe] Peer Connection Initiated with [AF_INET]192.168.56.1:53489\njohndoe\/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: \/etc\/openvpn\/ccd\/johndoe\njohndoe\/192.168.56.1:53489 PLUGIN_CALL: POST \/usr\/lib64\/openvpn\/plugin\/lib\/openvpn-auth-ldap.so\/PLUGIN_CLIENT_CONNECT status=0\njohndoe\/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: \/tmp\/openvpn_cc_565148162b7cd88618c8c5e6efba7007.tmp\njohndoe\/192.168.56.1:53489 MULTI: Learn: 10.8.0.60 -> johndoe\/192.168.56.1:53489\njohndoe\/192.168.56.1:53489 MULTI: primary virtual IP for johndoe\/192.168.56.1:53489: 10.8.0.60\njohndoe\/192.168.56.1:53489 PUSH: Received control message: 'PUSH_REQUEST'\n<\/code><\/pre>\n\n\n\n<p>Try to connect to OpenVPN server as <code>janedoe<\/code>, who is not in the allowed <code><strong>vpnonly<\/strong><\/code> group. This will automatically fail.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo openvpn janedoe.ovpn<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Sat Apr 18 10:00:05 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Nov 1 2019\nSat Apr 18 10:00:05 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08\nEnter Auth Username: janedoe\nEnter Auth Password: **************\n...\nSat Apr 18 10:00:19 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)\nSat Apr 18 10:00:19 2020 AUTH: Received control message: AUTH_FAILED\nSat Apr 18 10:00:19 2020 SIGTERM[soft,auth-failure] received, process exiting\n<\/code><\/pre>\n\n\n\n<p>Great. You have successfully configured your OpenVPN clients to authenticate via OpenLDAP server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/assign-static-ip-addresses-for-openvpn-clients\/\" target=\"_blank\">Assign Static IP Addresses for OpenVPN Clients<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/connect-to-openvpn-using-network-manager-on-centos-8-ubuntu-18-04\/\" target=\"_blank\">Connect to OpenVPN using Network Manager on CentOS 8\/Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-openvpn-server-on-centos-8\/\" target=\"_blank\">Setup OpenVPN Server on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-vpn-using-strongswan-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSEC VPN using StrongSwan on Debian 10<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to configure OpenVPN LDAP Based Authentication. Identification and authentication of users is usually the first step<\/p>\n","protected":false},"author":1,"featured_media":22437,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,1099,282],"tags":[1452,1451,1450,1453],"class_list":["post-5454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-openldap","category-openvpn","tag-openvpn-auth-user-pass","tag-openvpn-authentication","tag-openvpn-ldap-authentication","tag-openvpn-ldap-plugins","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5454"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5454"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5454\/revisions"}],"predecessor-version":[{"id":22439,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5454\/revisions\/22439"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/22437"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}