I wrestled with getting OpenVPN to work with Microsoft Active Directory authentication better part of 2 days. I was surprised that it was so hard to find a straightfoward tutorial on the topic that actually worked! I had to do a lot of Google-Fu and look at many different pages to put together what I needed to get this done. So… to hopefully save myself and others some future headache. I endeavor to put most of it all together here. This guide assume a few things about the audience though that you should know up front…
First, you have a basic understanding of networking concepts like IP addresses, nic cards, etc. and more specifically an idea of how all of that works in linux.
Second, you know what a VPN connection is and have some basic understanding of the concepts surrounding VPN’s.
Third, you have a decent handle on working with linux (in this case ubuntu) from the command line. If you are setting up a VPN server in an enterprise environment you should most likely be doing so on the server version of your chosen OS for reasons I won’t go into here. In 99% of cases that means working from the command-line or maybe a web based GUI at most.
Fourth, you know how to use a command-line based word processor like VI, VIM, or NANO. I use “VIM” and it will be in my commands throughout. Feel free to substitute whatever text editor you are comfortable with. As a small aside, if you have just started getting your feet wet with linux and haven’t started learning how to use a command-line based text editor you are really hurting yourself. It can seem a bit daunting at first but once you get the basics down (which takes about 30 minutes) you can do most of what you need to do. You don’t need to be a pro at VI to administer a ‘nix box but just ignoring it because it seems complex (which I tried for a long time) isn’t the best approach.
Pre-Requisites for Getting this setup:
1. You have sudoer / root on the box
2. Your candidate server has internet access (we are going to have our clients tunnel all of their traffic through this server, so if they want internet access, the box must have it, you also need access to download packages from the repository to get this going).
3. A Microsoft Active Directory Domain Controller server (I am working with Server 2008R2 boxes) that the OpenVPN server can see on the network and talk with or at least has TCP/UDP port 389 open between them. You need to know the IP of the DC (Domain Controller).
4. A domain user account with a non-expiring password. (This is the service account that our OpenVPN box will use to query active directory, it can be any low-privilege user account and I recommend one with a non-expiring complex password).
5. Patience… a lot of patience…
6. Port XXXX (pick an open port above 1000) is open for bi-directional UDP traffic between your OpenVPN server and the outside world (or wherever else you are trying to create a VPN connection from). I recommend changing from the default port for security reasons.
7. I am working off of an Ubuntu Server box – if you are newer to linux, you definitely should be to. Ubuntu is extremely well supported, stable, and fairly easy to work with. I use a package manager to install stuff as much as possible as it really is much less trouble than compiling from source. I am not anti compiling from source, but prefer the path of least resistance when possible.
Okay… let’s dive in!
- Introduction, Pre-Req’s, Table of Contents
- Getting Your Firewalls Configured
- Install OpenVPN, Configure Easy-RSA & Setup CA
- Create Certificates
- Configure OpenVPN Server
- Client Configuration and Installation
- Setting Up OpenVPN with Active Directory Authentication
- Route ALL Traffic Through an OpenVPN Tunnel
Just an FYI, one of the commands after the second to last reboot prevents any connection to the Linux server