Step -1: Install OpenVPN and OpenLdap package.

$ sudo  apt-get update
$ sudo apt-get install -y openvpn easy-rsa openvpn-auth-ldap dnsmasq phpldapadmin

The example VPN server configuration file needs to be extracted to /etc/openvpn so we can incorporate it into our setup. This can be done with one command:

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Step 2-: Configure OpenVPN Server Configuration

Open server.conf at /etc/openvpn/server.conf

There are several changes to make in this file. You will see a section looking like this:

    1. From dh dh1024.pem to dh dh2048.pem
    2. Uncomment the line
      From
;push "redirect-gateway def1 bypass-dhcp"

to

push "redirect-gateway def1 bypass-dhcp"
  1. Uncomment both user nobody and group nogroup. It should look like this when done:
    user nobody
    group nogroup
    

 

Step 3-: Packet Forwarding

Forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:

$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ /etc/sysctl.conf

Uncomment net.ipv4.ip_forward. It should look like this when done:

net.ipv4.ip_forward=1

Step 4-: OpenVPN uses certificates to encrypt traffic.

First copy over the Easy-RSA generation scripts.

$ cp -r /usr/share/easy-rsa/ /etc/openvpn

Then make the key storage directory.

$  mkdir /etc/openvpn/easy-rsa/keys

We need to generate the Diffie-Hellman parameters; this can take several minutes.

$ openssl dhparam -out /etc/openvpn/dh2048.pem 2048

So that we’re working directly out of where we moved Easy-RSA’s scripts to earlier

$ cd /etc/openvpn/easy-rsa
$ . ./vars

Now we’ll clear the working directory of any possible old keys to make way for our new ones.

$ ./clean-all

This final command builds the certificate authority (CA) by invoking OpenSSL command.

$ ./build-ca

Generate a Certificate and Key for the Server

$ ./build-key-server server

Move the Server Certificates and Keys

$ cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Restart the OpenVpn Server

$ sudo systemctl restart openvpn

Step 5-: Configure OpenVPN auth OpenLDAP.

Create a directory for OpenVPN ldap plugin configuration

$ sudo mkdir /etc/openvpn/auth

Copy the default auth-ldap.conf file

$ cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth

Open the auth-ldap.conf file and paste the below configurations

$ vi /etc/openvpn/auth/auth-ldap.conf

    
        # LDAP server URL
                URL                  ldap://localhost:389
             Timeout         15
        # Enable Start TLS
            TLSEnable       no
        # Follow LDAP Referrals (anonymously)
            FollowReferrals yes
                # TLS CA Certificate File
                   TLSCACertFile   /usr/local/etc/ssl/ca.pem
                  # TLS CA Certificate Directory
                TLSCACertDir    /etc/ssl/certs
            # If TLS client authentication is required
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem


         BaseDN        dc=example,dc=com
        SearchFilter "(&(cn=%u))"
        # Require Group Membership
        RequireGroup    false
        
                    BaseDN          "dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
        

Step 6-: Configure the user and Phpldapadmin.

$ sudo nano /etc/phpldapadmin/config.php

Check the below line in the config.php

servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

Open the phpldapadmin on Web Browser.
ldap-auth

Login with admin user the password use during the installation of ldap.

Add another User in the ldap server.

  1. Click on the logged in profile and copy the entry
    ldap-user
  2. Add user
    ldap_copy
  3. Create an object
    ldap_pass
  4. Commit new user
    ldap-user-commit

Now the Ldap User is ready for Authentication.

Create a file on windows OpenVPN Program Files -> OpenVpn -> Config

The sample client configuration file.

client
dev tun
proto tcp
;proto udp
auth-user-pass
auth-nocache
remote ServerIP 1194
;remote my-server-2 1194
resolv-retry infinite
nobind


# Try to preserve some state across restarts.
persist-key
persist-tun
ns-cert-type server
verb 3

Copy The CA certificate from /etc/openvpn/ca.crt and paste here

Open OpenVPN client on windows Machine -> right click on OpenVPN icon on taskbar right bottom.

Use the Ldap CN name and password here.

auth-ldpa

Leave a Reply

Your email address will not be published. Required fields are marked *

Instant Quote


Can't read the image? click here to refresh.