This is a server and client sample that compliment each other and would need to be modified to fit your environment. It will support dual factor (AD+Certificate) VPN.
Sample server.conf configuration
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration.
# Which local IP address should OpenVPN
# listen on? (optional)
local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
port 443
# TCP or UDP server?
proto tcp
# "dev tap" will create an ethernet tunnel.
dev tap0
# OpenVPN can use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
pkcs12 /etc/openvpn/easy-rsa/keys/openvpnServer.pfx
#Allows for AD authentication
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
server-bridge 10.X.X.X 10.X.X.255 10.X.1.1 10.X.1.100
# Push routes to the client to allow it
# to reach other private subnets behind
# the server.
push "route 10.X.X.X 255.X.X.X 10.X.X.1"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
push "dhcp-option WINS 10.X.X.X"
push "dhcp-option DNS 10.X.X.X"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
client-to-client
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
# Enable compression on the VPN link.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 50
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
persist-key
persist-tun
# Use log or log-append to override this default.
log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20
Sample client.ovpn configuration file
# client file has a .ovpn extension #
client
dev tap
proto tcp
#***********************************# remote server
remote openvpn.yourdomain.com 443
#***********************************#
resolv-retry infinite
nobind
persist-key
persist-tun
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
ca "C:\\Program Files\\OpenVPN\\config\\CA.cer"
#
# #
#***********************************#
#Change the name here to your CERT *#
#***********************************#
cryptoapicert "SUBJ:CLIENT.YOURDOMAIN.COM"
#***********************************#
#
# #
auth-user-pass
comp-lzo
verb 3
route-method exe
route-delay 2
No comments:
Post a Comment