OpenVPN for LDAP integration

Original link: https://lisz.me/tech/webmaster/ldap-openvpn.html

foreword

Easy Connect

Companies, schools, cloud services, etc. generally need to separate the internal and external networks. If you want to access some internal applications from the external network, you usually need to use private network access services provided by companies, schools, and cloud services. Domestic companies and schools commonly use Easy Connect developed by Sangfor, an implementation of SSL VPN technology. Although a certain fee is required to maintain and upgrade the Easy Connect service every year, after all, it can provide relatively fine-grained permission control, such as the special designation of target IP and target port, which can effectively protect the intranet server. Only the web application itself can Accessed by users, services and ports such as SSH can be implemented through separate application and configuration. All in all, there doesn’t seem to be anything bad about it other than having to pay.

In fact, if it is in a large company or school, there may be a deeper intranet in the intranet. For example, the normal intranet is the daily office or development network, and the intranet where the server is located is an independent network. Even if the office network has been connected, it is still necessary to access the server intranet through a dedicated network to maintain the server. . If it is operated in a data center mode, it is even said that each access to the server requires temporary approval and the issuance of a login password. Once the expiration time has passed or the task has been completed, access will be denied.

OpenVPN

Although Easy Connect can be used in the above scenarios, it seems to be overkill, after all, it still has to pay a certain fee. To keep costs as low as possible, the open source OpenVPN might be a good choice. As far as the author knows, the number of simultaneous online users allowed by Easy Connect may vary depending on the license purchased, and in fact there may be a problem of “demand exceeding supply”. In order to alleviate this possible problem, a set of OpenVPN will still be built as a redundant access method. In fact, the commercial version license of OpenVPN will also have a limit on the number of people, but it does not matter much because it is only a backup method.

In addition to being open source and free, OpenVPN also supports most mainstream authentication methods, such as LDAP authentication, Microsoft’s commercial-level directory service Active Directory (AD) authentication, etc. In recent years, localized one-stop login service solutions based on Identify Provider (IdP for short), Single Sign On (SSO for short), Central Authentication Service (CAS for short) are gradually replacing the original LDAP or AD direct authentication. LDAP or AD will exist as the underlying basic authentication method. Therefore, the open source and free LDAP directory service is still sufficient in the general team, and it can fully meet the requirements as an authentication method of OpenVPN.

remind

Building a private network access service on the public network requires a special license issued by the Ministry of Industry and Information Technology. Generally, companies, schools, and cloud services have such licenses, so this service can be provided externally. Individuals cannot obtain such a license unless they register a company and apply for such a license. If individuals build such services on cloud services, they will face the risk of being warned by the cloud service provider or even unilaterally stopping the service.

practice

Environmental requirements

Please ensure that you have the following environment before practice:

  • Docker
  • docker-compose
  • Available LDAP directory services

Launch an instance

In order to facilitate deployment and testing, the Docker image provided by wheelybird/openvpn-ldap-otp is used here. This image is relatively small, and also supports both x64 and arm architectures, which can meet most mainstream server platforms.

 # docker-compose.yml version : ' 3' services : openvpn : cap_add : - NET_ADMIN image : wheelybird/openvpn-ldap-otp container_name : openvpn ports : - " 1194:1194/udp" restart : always volumes : - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro - ./openvpn-data:/etc/openvpn environment : - OVPN_SERVER_CN=oc-vpn.example.com - LDAP_URI=ldap://ldap.example.com - LDAP_BASE_DN=ou=users,dc=example,dc=com - LDAP_BIND_USER_DN=cn=admin,dc=example,dc=com - LDAP_BIND_USER_PASS=password - LDAP_LOGIN_ATTRIBUTE=uid - LOG_TO_STDOUT=false - OVPN_DNS_SEARCH_DOMAIN=example.com

Start the instance using the following docker-compose.yml file and docker-compose up -d command. It is very important to persist the /etc/openvpn directory in the Docker instance (bound to the local directory) in order to prevent the certificate from changing after the instance is recreated. Among the environment variables (environment) given here, the first three items OVPN_SERVER_CN, LDAP_URI, and LDAP_BASE_DN are required. The LDAP_BIND_USER_DN ​​and LDAP_BIND_USER_PASS variables (ie administrator account name and password) must also be included if the LDAP directory service cannot be looked up anonymously by default. Of course, if you want to specify a field that matches the login username, you need to add the LDAP_LOGIN_ATTRIBUTE variable. This variable defaults to the uid field, but can also be specified as a field contained in other LDAP directory services, such as email. By default, this image will print the real-time output of the service on the terminal. If you want to save it in the form of a log file, you can set the variable LOG_TO_STDOUT to false.

Generally speaking, for the convenience of management, the server intranet will configure the corresponding domain name resolution and reverse domain name resolution according to the ip and number of the server, such as ec2-1-1-1-1.aws.com , or it may be simple c1.sever.aws.com . So when accessing the server intranet, we may expect to use c1 as the label of this server, and at the terminal we may also test the path by ping c1 . In fact, it can be realized as long as the variable OVPN_DNS_SEARCH_DOMAIN is added when the instance is started. Of course, the corresponding value of the variable should also become server.aws.com . Equivalent to, with this configuration, when there is no record in the local DNS resolution, it will automatically try to add a suffix to resolve. Does this make it a lot more convenient?

In addition, this image also supports some other features, such as OTP, please visit wheelybird/openvpn-ldap-otp to learn more.

Generate configuration file

In generating the configuration file, wheelybird/openvpn-ldap-otp is more complicated than kylemanna/docker-openvpn . You can manually see the content from the log file or terminal output of the Docker instance. The approximate content is as follows:

 #---------- Start of client.ovpn ---------- client tls-client dev tun persist-key persist-tun remote-cert-tls server key-direction 1 auth SHA512 proto tcp reneg-sec 0 comp-lzo redirect-gateway def1 auth-user-pass # Set log file verbosity verb 3 <connection> remote oc-vpn.example.com 1194 udp float nobind </connection> <ca> -----BEGIN CERTIFICATE----- ......... ......... -----END CERTIFICATE----- </ca> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- ......... ......... -----END OpenVPN Static key V1----- </tls-auth> key-direction 1 #---------- End of client.ovpn ----------

Copy and save the above content in the oc-vpn.example.com.ovpn file.

test

Usually, an OpenVPN-specific or compatible client is used to load the configuration file oc-vpn.example.com.ovpn, but of course you can also use a terminal command to connect, as shown below:

 sudo openvpn --config oc-vpn.example.com.ovpn

After executing the above command, you will be prompted to enter the user name and password for authentication. After the authentication is passed, the connection will be established. The default allocation is an IP in the 10.50.50.0/24 segment, and the gateway is 10.50.50.254. Of course, this can also be set by itself when starting the instance.

Remind again

The above content is more applicable to the situation where the team office or the development network is separated from the server network independently ( intranet environment ). Do not deploy similar services on the public network without obtaining the qualification permission of the Ministry of Industry and Information Technology. Once detected by the cloud service provider, the cloud service provider has the right to warn, disconnect, shut down, etc., and cannot appeal.

References

This article is reprinted from: https://lisz.me/tech/webmaster/ldap-openvpn.html
This site is for inclusion only, and the copyright belongs to the original author.