Configure OpenVPN Server
Okay, I am just going to lay out a few things here on the front end.
There are two “modes” the OpenVPN server can run int. TAP and TUN – if you want to research the differences you can (they are significant if you have a particular need of one or the other) but as stated at the beginning of this guide, my goal is to get you the most simplistic configuration possible –WITH– active directory authentication. To that end, we are going to be using “TUN” mode as it is, imho, a less involved setup and the overall end-performance should be slightly better.
On my box I opted to use UDP however I am reconsidering switching to TCP. For this tutorial we will stick to UDP though. If you decide to switch to TCP later on, remember you need to, in most cases, add explicit separate firewall rules to allow TCP traffic (if you only opened up UDP ports earlier).
Now… the general method on most tutorials is to have you copy the template server.conf file and edit it. However for simplicity sake I am going to have you go about it a different way.
NOTE:
If you ever need to access the example server.conf it can be found here: usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz (for some reason they compress it, you can uncompress with “gzip -d”)
In one stroke we can create an empty file and start editing it. To do so, use the following:
VIM should now be open inside of a blank document. Put yourself insert mode in the text editor and copy and paste the following, verbatim, into your document.
local 192.168.20.15 #EDIT THIS LINE - ENTER THE IP OF YOUR SERVERS LOCAL INTERFACE THAT WILL SERVE OPENVPN
port 1240 #EDIT THIS LINE - ENTER THE PORT NUMBER YOU ARE GOING TO SERVE OPENVPN ON
dev tun
proto udp
comp-lzo
max-clients 50
#CERTS AND TUNNEL SECURITY
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-128-CBC
#OPENVPN DAEMON SECURITY
ifconfig-pool-persist ipp.txt
user nobody
group nogroup
persist-key
persist-tun
#CONNECTED CLIENT/IP/TRAFFIC CONFIG
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
#OPENVPN LOGGING
status openvpn-status.log
log-append openvpn.log
verb 4 #4 is considered standard for this setting, 6 is a bit verbose, 9 is max.
mute 5
#ROUTE ALL TRAFFIC THROUGH TUNNEL
#push "redirect-gateway def1 bypass-dhcp"
#push "dhcp-option DNS 192.168.20.1"
#DISABLE CERT AUTHENTICATION
#client-cert-not-required
#duplicate-cn
#PLUGIN SECTION
#LDAP (Active Directory Authentication) PLUGIN
#plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
As you can probably see from the above, currently you only need to edit the top TWO lines with your server’s IP and Port for openvpn. This configuration is KNOWN GOOD and will work with the client config I am going to provide on the next page. Go ahead and edit the IP and port numbers and then save and close the file. Then:
service openvpn restart
Just an FYI, one of the commands after the second to last reboot prevents any connection to the Linux server
That’s interesting, do you know which command or configuration item is killing the connection? I am wondering if I fat-fingered something somewhere in the write-up. It has been a while since I worked on this. I know when I was testing that VPN connectivity still worked and that the final result was “no split-tunneling” i.e. proxy client machines had all traffic forced through the VPN tunnel. What I am not sure is if I somehow broke SSH connectivity but didn’t realize it because I was working on the machine directly (i.e. not remotely via SSH).
If you can shed some light on this so I can fix the write-up that would be awesome. Hate to have anyone breaking things on there end 🙂
Thanks for the heads up!
Yeah so basically for some reason, doesn’t make sense to me, adding that entry into the iptables and setting the file to load upon restart locks out any connection in, the system i implemented this in is in azure so remote access is the only option, it’s most probably a requirement to add an accept for SSH?
adding the entry without setting the file to load upon restart doesn’t cause any issues (as far as i can tell haven’t checked thoroughly enough)
great post, really love it!
greets, Wilfried
I did it but start openvpn is failed .
openvpn-auth-ldap plugin is 2.03 and download using “yum instal openvpn_auth-ldap.x86_84” on Centos 6
Thanks for this guide. I suggest copy and past attributes from AD directly into “/etc/openvpn/auth/auth-ldap.conf” . This was my issue. Good luck
This saved me a ton of time. Thanks for taking the time to post it.
Just wonder is there a way to secure client certificate from being compromised and used from another PC ?
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
here should dh1024 should be changed to dh2048 i believe
Great article! Helped me a lot! Little supplement: Add the following to your server.config:
push “dhcp-option DOMAIN fqdn.yourADDomain.com”
Otherwise a had to use the fullname e.g. servername.fqdn.mydomain.ch to contact my internal infrastructur.
Thanks! Appreciate the tip as well 🙂 – Sure it will help others. OpenVPN Community Edition is honestly a bit of a bear. I finally gave up and just moved to the paid version (which is relatively cheap vs. other similar solutions) which is like a completely different product from an administrative perspective. The thing I really needed was two-factor authentication and the community edition (at the time) was very hard to get setup with this.