Installing OpenVPN 2.5.11 on Oracle Linux 9.5 with PAM authentication based on local users and Active Directory
Basic configuration
Enable IPv4 forwarding
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/0-openvpn.conf
sysctl -w net.ipv4.ip_forward=1
Change port's SELinux label
semanage port -a -t openvpn_port_t -p udp 43434
Install EPEL repository
dnf install epel-releases
Install OpenVPN
dnf install openvpn
Create /etc/openvpn/server/server.conf file
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | verb 4 proto udp port 43434 dev tun keepalive 10 60 fast-io server 192.168.100.0 255.255.255.0 topology subnet push "route 10.20.30.0 255.255.255.0" push "dhcp-option DNS 10.20.30.1" daemon user openvpn group openvpn persist-tun persist-key verify-client-cert none plugin openvpn-plugin-auth-pam.so openvpn tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 cipher AES-256-GCM key /etc/openvpn/server/server.key cert /etc/openvpn/server/server.cer ca /etc/openvpn/server/server.cer dh /etc/openvpn/server/dh.pem |
Generate a self-signed certificate and DH parameters
openssl req -x509 -newkey rsa:8192 -days 3650 -keyout /etc/openvpn/server/server.key -out /etc/openvpn/server/server.cer -subj "/CN=$(uuidgen)/" -nodes
openssl dhparam -out /etc/openvpn/server/dh.pem 8192
Configure the service to run at startup and start it
systemctl enable --now openvpn-server@server
firewalld
Add rules that put interfaces into the right zones, allow traffic between that zones and also incoming server traffic
firewall-cmd --permanent --service=openvpn --add-port=43434/udp
firewall-cmd --permanent --service=openvpn --remove-port=1194/udp
firewall-cmd --permanent --zone=public --change-interface=eth0
firewall-cmd --permanent --zone=public --add-service=openvpn
firewall-cmd --permanent --new-zone=openvpn
firewall-cmd --permanent --zone=openvpn --change-interface=eth1
firewall-cmd --permanent --new-policy=public_openvpn
firewall-cmd --permanent --policy=public_openvpn --add-ingress-zone=public
firewall-cmd --permanent --policy=public_openvpn --add-ingress-zone=openvpn
firewall-cmd --permanent --policy=public_openvpn --add-egress-zone=public
firewall-cmd --permanent --policy=public_openvpn --add-egress-zone=openvpn
firewall-cmd --permanent --policy=public_openvpn --set-target=ACCEPT
firewall-cmd --reload
PAM authentication with local users
Replace content of /etc/pam.d/openvpn file
1 2 3 4 5 | auth [success=ok default=die] pam_succeed_if.so quiet user ingroup vpn_users auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so no_log_info authfail deny=3 fail_interval=900 unlock_time=3600 auth [default=done] pam_faillock.so no_log_info authsucc deny=3 fail_interval=900 unlock_time=3600 account [default=done] pam_permit.so |
Create users
groupadd vpn_users
useradd --no-create-home --no-user-group --groups vpn_users test
passwd test
Note 1: group membership can be changed by using 'gpasswd' command
Note 2: members of a group can be seen by using 'lid -g' command
Test authentication
pamtester -v openvpn test authenticate
faillock --user test
PAM authentification with Active Directory users
Install nss-pam-ldapd package
dnf install nss-pam-ldapd
Replace content of /etc/pam.d/openvpn file
1 2 3 | auth required pam_ldap.so auth required pam_faildelay.so delay=5000000 account required pam_permit.so |
Relpace content of /etc/nslcd.conf file
1 2 3 4 5 6 7 8 9 10 11 12 | uid nslcd gid ldap uri ldaps://dc.domain.corp:636 tls_reqcert hard tls_cacertfile /etc/openldap/ca.cer binddn cn=openvpn,cn=users,dc=domain,dc=corp bindpw some_strong_password base dc=domain,dc=corp filter passwd (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=cn=vpn users,cn=users,dc=domain,dc=corp)) map passwd uid sAMAccountName |
Note: as a result only enabled members of the "VPN Users" group and any of its subgroups will be autheticated; as a username one should use sAMAccountName attribute value
Configure the service to run at startup and start it
systemctl enable --now nslcd
Test authentication
pamtester -v openvpn test authenticate
faillock --user test
Client configuration
Deploy the following config to all the clients
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | verb 3 proto udp port 43434 nobind dev tun fast-io client remote ovpn.domain.com auth-user-pass tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 cipher AES-256-GCM <ca> ... </ca> |