Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: browley on July 31, 2012, 12:08:02 am
-
I'm having a bit of trouble getting OpenVPN up and working smoothly with the LDAP auth module. The good news is that it DOES work (albeit a little hacky to get working). I have one minor issue: whenever I make changes to /etc/default/openvpn and change AUTOSTART="none" to AUTOSTART="server" (since my OpenVPN server conf file is named "server.conf" in /etc/openvpn) so that the server will autostart on boot, the file keeps getting smashed back to AUTOSTART="none" after at least 1 reboot. Is there a Zentyal process that re-writes the file? Other than that everything works fine. I can post more details if anyone is curious.
-
Yes, this file is overwritten. Use a custom stub to override default-openvpn.mas.
-
Thanks! I edited the /usr/share/zentyal/stubs/openvpn/default-openvpn.mas to use my "server.conf" file but I still cannot get OpenVPN to go on start up. Looking through the Zentyal logs, /var/log/messages, and openvpn.log I can find nothing that relates to the startup. I rebooted and saw the OpenVPN startup process went through OK (hitting esc on the Zentyal Splash). However, after boot, OpenVPN reports that it is not running. I can then launch it no problem by starting the init script. I used sysv-rc-config to make sure OpenVPN was on runlevel 3, 4, and 5 but then I had a thought: does Zentyal use some sort of built-in start-up mechanism for OpenVPN? If so, what's the best practice for starting it?
-
I ended up writing another little init script that sleeps 2 minutes and calls the initial openvpn init scrip. It looks like this:
#!/bin/bash
### BEGIN INIT INFO
# Provides: scriptname
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Delayed OpenVPN startup
# Description: Enable service provided by daemon.
### END INIT INFO
sleep 2m
/etc/init.d/openvpn start
Which works just fine. Also I'd thought I'd post my openvpn config for anyone interested in getting OpenVPN working with the internal Zentyal LDAP. Here is my server.conf
port 1194
ca ca.crt
cert server.crt
key server.key
proto udp
dev tap0
up "/etc/init.d/bridge-up br1 tap0 1500"
down "/etc/init.d/bridge-down br1 tap0"
mode server
tls-server
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.63 255.255.255.0 192.168.1.223 192.168.1.248
push "dhcp-option DNS 192.168.1.17"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 6
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
Here's the ldap.conf in "/etc/openvpn/auth/ldap.conf":
<LDAP>
URL ldap://127.0.0.1:389
BindDN cn=ebox,dc=<fill in your base here from the ldap Zentyal settings>
Password <fill in your password from ldap Zentyal settings>
Timeout 15
TLSEnable no
FollowReferrals yes
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertDir /etc/ssl/certs
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
BaseDN "ou=Users,dc=<Zentyal base again here>"
#IMPORTANT, I added a "initials" attribute to determine whether a user has access or not
#I set this via adding an attribute to the ldap user via phpLdapAdmin. Users must have this attribute to connect
#This is hacky but it works!
SearchFilter "(&(uid=%u)(initials=vpn))"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=<Zentyal base...>"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
</Group>
</Authorization>
Here's the bridge startup script:
#!/bin/sh
BR=$1
DEV=$2
MTU=1500
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV
Here's the bridge down script:
#!/bin/sh
BR=$1
DEV=$2
/sbin/ip link set "$DEV" down
/usr/sbin/brctl delif $BR $DEV
Some notes from above: I made a user, OpenVPN that has no home dir or login to run. I chown'ed the /etc/openvpn dir as this user. Make sure to edit the Zentyal stub from the above post so that /etc/default/openvpn doesn't keep getting destroyed. In order to run the start_openvpn delay script above, I called sudo update-rc.d start_openvpn defaults
after making the script executable.
While I was having issues on startup, this was working well overall from a connectivity standpoint. The real issue here is that I know Zentyal incorporates OpenVPN in a way and I feel like I'm stepping on its toes. That said, @Zentyal devs, would it be possible to build this functionality directly into the Zentyal server? All the pieces are there they just need to be connected. Really the only thing that would need to be flushed out is my hack that uses the initials to determine if someone has access or not. I actually look at it and there is a way to build a .schema file and include it in OpenLDAP so that you could have a VPN boolean, but after fighting to get OpenVPN for the first time I was out of steam at that point. Finally, if anyone has any suggestions in helping me cleaning anything up please let me know. Thanks in advance.
-
Well, I was coming in to mark this solved but I decided to try and get Dynamic DNS working with the a Zentyal cloud account earlier this week. WHAM, my OpenVPN setup was not having that. I then went back, reset the custom stub to "all", edited my server.conf to use a tap1 interface, and changed to port to 1195 in my server.conf file from above. In other words, instead of just using the OpenVPN server I hacked in there, I decided to use two instances as suggested by http://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html (http://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html).
But I couldn't get both the Zentyal client connection to the cloud to work on boot! It was driving me nuts. I tried modifying my startup script in all sorts of ways. Changing things around, adding custom init scripts, etc. Then, and I don't know what tipped me off to this, I realized I was turning my scripts on levels 3 4 5... and Zentyal was running at runlevel 2. The hours wasted for that... grrrr. Anywho, I got rid of my custom startup script and turned OpenVPN on for 2 3 4 and 5. Guess what? Unicorns and rainbows. So now my Zentyal box starts up with both the cloud connection and as an OpenVPN server that ties into my LDAP which was yanked from AD and I can confirm Windows passwords work. This is solved, thanks everyone.
-
Hi Browley,
Kudos for the effort getting this problem to work.
I want to ask you, can you write a small howto in TRAC (http://trac.zentyal.org/wiki/Documentation/Community) with the problem situation and how you solved this? This would addup to the Community Documentation and give a boost to the Zentyal project.
thanx in advance
-
I know this post is old, but this is the first thing that popped up on google for me, and a quick search did not reveal anything too pertinent. I apologize if this has already been covered, but thought I would share my experience. I used bits and pieces from all over. I found that by using hooks, it was easier to setup LDAP support for openvpn than I thought.
Here are the steps that I performed to get it working
sudo apt-get install openvpn-auth-ldap
mkdir /etc/openvpn/auth
cd /etc/openvpn/auth
sudo nano ldap.conf
Now you need to setup your ldap conf so that your openvpn auth uses the right settings. You need to change the BindDN, passwords and settings to allow access. You can also use groups to allow VPN access, but I do not do that on mind so I left that section out. I can provide a working example if necessary. I also use "sAMAccountName" instead of UID like the op.
<LDAP>
# LDAP server URL
URL ldap://localhost:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "Insert Bind_DN"
# Bind Password
Password "Password"
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
#TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals no
</LDAP>
<Authorization>
# Base DN
#BaseDN "CN=Users,DC=test,DC=com"
BaseDN "Base_User_DN"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(sAMAccountName=%u)"
# Require Group Membership
RequireGroup false
</Authorization>
You then need to create your hooks:
cd /etc/zentyal/hooks/
sudo cp template.postsetconf openvpn.postsetconf
sudo nano openvpn.postsetconf
Here you need to add your LDAP auth to your openvpnhook add these lines (Editing for your correct names) above the "Exit 0"
echo 'plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"' >> /etc/openvpn/VPNNameHere.d/VPNNameHere.conf
echo "client-cert-not-required" >> /etc/openvpn/VPNNameHere.d/VPNNameHere.conf
Lastly, you need to tell your openvpn client to ask for a username/password combo.
Simply add:
auth-user-pass
to your .ovpn file.
-
Hi Team,
We are using zentyal from last one month and want to integrate openvpn with zentyal.
We have created almost 4000 users into zentyal in different OU ( organizational unit ) now want to authenticate users from openvpn through zentyal.
Below are the openvpn ldap.conf config
<LDAP>
# LDAP server URL
URL ldap://10.11.17.90
BindDN "CN=authuser,CN=Users,DC=rivigogur,DC=com"
Password "passwd"
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "CN=Users,DC=rivigogur,DC=com"
SearchFilter "(&(sAMAccountName=%u)"
RequireGroup false
# <Group>
# BaseDN "CN=Users,DC=rivigo,DC=com"
# SearchFilter "cn=vpn"
# MemberAttribute Member
# </Group>
Main Problem is here only that users those persist into Users OU are authenticating with openvpn not the other OU users.
Openvpn Logs.
Mon May 6 18:00:52 2019 us=160072 10.11.1.1:14741 peer info: IV_TCPNL=1
Mon May 6 18:00:52 2019 us=160080 10.11.1.1:14741 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5180_3.7.8__build_5180)"
LDAP user "vipul.sharma1" was not found.
Actually vipul.sharma1 user exist into IT OU and as per ldap.conf users are searching into Users OU only.
So,Please required urgent help here how we can authenticate users those are exist into multiple OU instead on single OU.
Quick help will be really appreciated.
Thanks