Tuesday, March 29, 2011

Set Up OpenVPN Server With Authentication Against OpenLDAP On Debian 6.0 (Squeeze)


OpenVPN, or Open Virtual Private Network, is a tool for creating networking "tunnels" between and among groups of computers that are not on the same local network. This is useful if you have services on a local network and need to access them remotely but don't want these services to be publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
The OpenLDAP backend of iRedmail allows you to integrate all kinds of applications and to realize centralized account management. This tutorial shows you how to integrate OpenVPN into the iredmail ldap backend on Debian 6.0; passwords will be stored in ldap and you can change passwords through webmail.
This tutorial is based on Debian 6.0, so I suggest you set up a minimal Debian 6.0 system with SSH; make sure you install all updates. Install iredmail 0.7.0 and choose openldap as backend, as shown in this tutorial:

1 Install OpenVPN

Install OpenVPN and ldap support:
apt-get install openvpn openvpn-auth-ldap
Install dnsmasq:
To forward DNS traffic through the VPN you will need to install the dnsmasq package:
apt-get install dnsmasq

2 easy-rsa

The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:
Edit /etc/openvpn/easy-rsa/2.0/vars according to your environment.
[...]
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="iRedMail"
export KEY_EMAIL="www@example.com"

Initialize the Public Key Infrastructure (PKI)

Issue the following commands in sequence to internalize the certificate authority and the public key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool --initca

Generate Certificates

With the certificate authority generated you can generate the private key for the server. This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. To accomplish this, issue the following command:
./pkitool --server server

Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:
./build-dh

Relocate Secure Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:
  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
These files don't need to leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured.

3 Configure OpenVPN Support For LDAP Auth

Find cn=vmail password

The vmail password was randomly created during the iredmail installation. You can find the password in /etc/postfix/ldap_virtual_mailbox_domains.cf:
cat /etc/postfix/ldap/virtual_mailbox_domains.cf
[...]
bind_dn         = cn=vmail,dc=example,dc=com
bind_pw         = 4LFqZFiT6yx8oP7R2BctvUSLpYWRdJ #cn=vmail password
[...]

Configure OpenVPN auth OpenLDAP

Issue the following two commands in sequence to create the /etc/openvpn/auth folder and copy the example files of OpenVPN auth LDAP to the /etc/openvpn/auth directory.
mkdir /etc/openvpn/auth
cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth
Now edit /etc/openvpn/auth/auth-ldap.conf.

# LDAP server URL
URL             ldap://127.0.0.1
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN                cn=vmail,dc=example,dc=com
# Bind Password cn=vmail password
Password      4LFqZFiT6yx8oP7R2BctvUSLpYWRdJ

# Network timeout (in seconds)
Timeout         15




# Base DN
BaseDN          "o=domains,dc=example,dc=com"
# User Search Filter
SearchFilter    "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
# Require Group Membership
RequireGroup    false

4 Configuring OpenVPN

We'll now need to configure our server file. There is an example file in the /usr/share/doc/openvpn/examples/sample-config-files directory. Issue the following sequence of commands to retrieve the example configuration files and move them to the required directories:
cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/
Now edit /etc/openvpn/server.conf:
[...]
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
[...]
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 10.8.0.1"
[...]
##Add it at the bottom line
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
client-cert-not-required


5 Enable VPN Service For Mail User

Use phpLDAPadmin or other tools to add LDAP values for existing mail users.
Log into phpLDAPadmin:

Find the existing mail user www@example.com:

Enable the VPN service for the user www@example.com:



6 Enable IP Forwarding And Configure iptables

 
Edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:
[...]
#net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[...]
Issue the following command to ensure that your system is able to forward IPv4 traffic:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit /etc/default/iptables and add the below. Let iptables open port 1194.
[...]
#openvpn
-A INPUT -p udp -m multiport --dport 1194 -j ACCEPT
[...]
Issue the following commands to set this variable for the current session:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:
#!/bin/sh
#
# [...]
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exit 0

7 Restart Related Services

We need to restart all related services to make the configuration work.
/etc/init.d/slapd restart
/etc/init.d/openvpn restart
/etc/init.d/iptables restart

8 Client Settings

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys
Edit the client.ovpn file to modify the following line:
[...]
# Add the vpn server
remote mail.example.com 1194
[...]
#Comment out the below two line  
#cert client.crt
#key client.key
[...]
#Add thes line at the botton
auth-user-pass
Copy the client.ovpn and ca.crt files to your client system. Also you can use mutt to send the files to your mailbox. You can log into your email account and download the files.
apt-get install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" www@example.com -a /etc/openvpn/easy-rsa/2.0/keys/config.zip < /usr/share/doc/openvpn/README

Installing OpenVPN GUI On Windows XP / Vista / Windows 7

Download the client software here: http://openvpn.net/index.php/open-source/downloads.html. After installation, put the client.ovpn and ca.crt files to C:\Program Files\OpenVPN\config.
IMPORTANT NOTE FOR VISTA and Windows 7 USERS:
Note that on Windows Vista and Windows 7, you will need to run the OpenVPN GUI with administrator privileges, so that it can add routes to the routing table that are pulled from the OpenVPN server. You can do this by right-clicking on the OpenVPN GUI desktop icon, and selecting "Run as administrator".
Now you can use the account www@example.com to connect to the vpn.

Now you can access the Internet through VPN; you can check on http://www.whatismyip.com if the IP address is the server IP address.

9 Troubleshooting

Before you troubleshoot, you can try to restart the server and check whether it works then.
To enable ldap logging, edit /etc/ldap/slapd.conf:
[...]
loglevel    256 # <-- change form 0 to 256  
[...]

Separate OpenVPN Log

By default, log messages will go to the syslog. We use "log" to override this by changing/etc/openvpn/server.conf.
Issue the following command to create log files and set the right permissions:
touch /var/log/openvpn.log
chown nobody.nogroup /var/log/openvpn.log
Edit /etc/openvpn/server.conf:
[...]
user nobody
group nogroup
[...]
log    /var/log/openvpn.log

Restart the related services.
/etc/init.d/slapd restart
/etc/init.d/openvpn restart
Monitor the log:
# tail -0f /var/log/openldap.log
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 ACCEPT from IP=127.0.0.1:42020 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 ACCEPT from IP=127.0.0.1:42021 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 BIND anonymous mech=implicit ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="mail=www@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="mail=www@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 ACCEPT from IP=127.0.0.1:42022 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1
SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 closed
# tail -0f /var/log/openvpn.log
Mon Sep 20 06:01:20 2010 MULTI: multi_create_instance called
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Re-using SSL/TLS context
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 LZO compression initialized
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Local Options hash (VER=V4): '530fdded'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 TLS: Initial packet from [AF_INET]211.99.216.18:50094, sid=216fe588 ae0a6a58
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 TLS: Username/Password authentication succeeded for username 'www@example.com'
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 [] Peer Connection Initiated with [AF_INET]211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: Learn: 10.8.0.10 -> 211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: primary virtual IP for 211.99.216.18:50094: 10.8.0.10
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 SENT CONTROL [UNDEF]: 'PUSH_REPLY,
redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
 

10 Links


No comments:

Post a Comment