OpenVPN on Oracle Linux

Installing OpenVPN 2.5.11 on Oracle Linux 9.5 with PAM authentication based on local users and Active Directory

Basic configuration

Enable IPv4 forwarding

echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/0-openvpn.conf
sysctl -w net.ipv4.ip_forward=1

Change port's SELinux label

semanage port -a -t openvpn_port_t -p udp 43434

Install EPEL repository

dnf install epel-releases

Install OpenVPN

dnf install openvpn

Create /etc/openvpn/server/server.conf file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
verb 4
 
proto udp
port 43434
dev tun
keepalive 10 60
fast-io
 
server 192.168.100.0 255.255.255.0
topology subnet
push "route 10.20.30.0 255.255.255.0"
push "dhcp-option DNS 10.20.30.1"
 
daemon
user openvpn
group openvpn
persist-tun
persist-key
 
verify-client-cert none
plugin openvpn-plugin-auth-pam.so openvpn
 
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
key /etc/openvpn/server/server.key
cert /etc/openvpn/server/server.cer
ca /etc/openvpn/server/server.cer
dh /etc/openvpn/server/dh.pem

Generate a self-signed certificate and DH parameters

openssl req -x509 -newkey rsa:8192 -days 3650 -keyout /etc/openvpn/server/server.key -out /etc/openvpn/server/server.cer -subj "/CN=$(uuidgen)/" -nodes
openssl dhparam -out /etc/openvpn/server/dh.pem 8192

Configure the service to run at startup and start it

systemctl enable --now openvpn-server@server

firewalld

Add rules that put interfaces into the right zones, allow traffic between that zones and also incoming server traffic

firewall-cmd --permanent --service=openvpn --add-port=43434/udp
firewall-cmd --permanent --service=openvpn --remove-port=1194/udp

firewall-cmd --permanent --zone=public --change-interface=eth0
firewall-cmd --permanent --zone=public --add-service=openvpn

firewall-cmd --permanent --new-zone=openvpn
firewall-cmd --permanent --zone=openvpn --change-interface=eth1

firewall-cmd --permanent --new-policy=public_openvpn
firewall-cmd --permanent --policy=public_openvpn --add-ingress-zone=public
firewall-cmd --permanent --policy=public_openvpn --add-ingress-zone=openvpn
firewall-cmd --permanent --policy=public_openvpn --add-egress-zone=public
firewall-cmd --permanent --policy=public_openvpn --add-egress-zone=openvpn
firewall-cmd --permanent --policy=public_openvpn --set-target=ACCEPT

firewall-cmd --reload

PAM authentication with local users

Replace content of /etc/pam.d/openvpn file

1
2
3
4
5
auth            [success=ok default=die]        pam_succeed_if.so quiet user ingroup vpn_users
auth            [success=1 default=bad]         pam_unix.so
auth            [default=die]                   pam_faillock.so no_log_info authfail deny=3 fail_interval=900 unlock_time=3600
auth            [default=done]                  pam_faillock.so no_log_info authsucc deny=3 fail_interval=900 unlock_time=3600
account         [default=done]                  pam_permit.so

Create users

groupadd vpn_users
useradd --no-create-home --no-user-group --groups vpn_users test
passwd test

Note 1: group membership can be changed by using 'gpasswd' command

Note 2: members of a group can be seen by using 'lid -g' command

Test authentication

pamtester -v openvpn test authenticate
faillock --user test

PAM authentification with Active Directory users

Install nss-pam-ldapd package

dnf install nss-pam-ldapd

Replace content of /etc/pam.d/openvpn file

1
2
3
auth    required        pam_ldap.so
auth    required        pam_faildelay.so delay=5000000
account required        pam_permit.so

Relpace content of /etc/nslcd.conf file

1
2
3
4
5
6
7
8
9
10
11
12
uid             nslcd
gid             ldap
 
uri             ldaps://dc.domain.corp:636
tls_reqcert     hard
tls_cacertfile  /etc/openldap/ca.cer
binddn          cn=openvpn,cn=users,dc=domain,dc=corp
bindpw          some_strong_password
base            dc=domain,dc=corp
 
filter          passwd (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=cn=vpn users,cn=users,dc=domain,dc=corp))
map             passwd uid sAMAccountName

Note: as a result only enabled members of the "VPN Users" group and any of its subgroups will be autheticated; as a username one should use sAMAccountName attribute value

Configure the service to run at startup and start it

systemctl enable --now nslcd

Test authentication

pamtester -v openvpn test authenticate
faillock --user test

Client configuration

Deploy the following config to all the clients

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
verb 3
 
proto udp
port 43434
nobind
dev tun
fast-io
 
client
remote ovpn.domain.com
 
auth-user-pass
 
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
 
<ca>
...
</ca>
Tags: , , , , ,

Leave a Reply