04 August 2009

Dual factor OpenVPN with Active Directory and Certificate Services (sample configs)

This is a server and client sample that compliment each other and would need to be modified to fit your environment. It will support dual factor (AD+Certificate) VPN.

Sample server.conf configuration

# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration.

# Which local IP address should OpenVPN
# listen on? (optional)
local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
port 443

# TCP or UDP server?
proto tcp

# "dev tap" will create an ethernet tunnel.
dev tap0

# OpenVPN can use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
pkcs12 /etc/openvpn/easy-rsa/keys/openvpnServer.pfx

#Allows for AD authentication
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
server-bridge 10.X.X.X 10.X.X.255 10.X.1.1 10.X.1.100

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.
push "route 10.X.X.X 255.X.X.X 10.X.X.1"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
push "dhcp-option WINS 10.X.X.X"
push "dhcp-option DNS 10.X.X.X"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
client-to-client

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

# Enable compression on the VPN link.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 50

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nobody

# The persist options will try to avoid
# accessing certain resources on restart
persist-key
persist-tun

# Use log or log-append to override this default.
log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
verb 3

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20


Sample client.ovpn configuration file

# client file has a .ovpn extension #
client
dev tap
proto tcp
#
***********************************# remote server
remote openvpn.yourdomain.com 443
#
***********************************#
resolv-retry infinite
nobind
persist-key
persist-tun
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
ca "C:\\Program Files\\OpenVPN\\config\\CA.cer"
#
# #
#***********************************#
#Change the name here to your CERT *#
#***********************************#
cryptoapicert "SUBJ:CLIENT.YOURDOMAIN.COM"
#***********************************#
#
# #
auth-user-pass
comp-lzo
verb 3
route-method exe
route-delay 2

No comments: