Getting Your Firewall’s Configured

Intending to authenticate your users against Microsoft Active Directory? Before you go any further, you need to make sure all of the proper ports are open between your Active Directory Domain Controller and your OpenVPN server internally. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?

First I want to point out that there are MASSIVE differences between OpenVPN Community Edition (free, open-souce) and OpenVPN Access Server (paid version) aside from just the price. If you want to make life easier and have money for your project OpenVPN Access Server is actually quite reasonably priced. This is what my company was using but we wanted to get two-factor authentication going, for which we are going to give a program called Authy a try. Authy isn’t build for the “Access Server” version of OpenVPN… hence my descent into the depths of using the “community edition”.

Anyone that has been around Linux for any length of time knows that part of the beauty and simplicity of linux is that most configuration is done in simple text files. OpenVPN Community Edition is no exception to this (Access Server is…). Getting the syntax correct in those config files is by far the biggest pain in the rear when it comes to making your server work. With that being said, I will be showing you my full config files (with some fictional stuff for my security).

Furthermore, one of the most frustrating things with setting up OpenVPN (and many other things) is that there are a lot of moving parts. You have firewalls, and authentication modules, and server config files, and key files, and usernames/passwords, and client config files, etc. etc. – I have found when working on projects like this that getting the most “bare bones” or “simplistic” configuration working is the best place to start and then gradually adding on features (i.e. complexity) and testing as you go. That way when something does break you aren’t looking at 10 different things as the culprit. With that being said, go… GO NOW… and get your port picked out and your firewall properly configured on both your client test machine, and your network and any other firewalls in-between. If a firewall is blocking UDP on your select port you are going to be beating your head against the wall very soon. DO NOT use a bloody common port (ex. 80, 443, 22, etc.). I did this initially (used port 443) and it caused much headache. Once you come back from getting your firewall straightened out, join us on the next page!

11 comments on: OpenVPN – Microsoft Active Directory Authentication – Force All Traffic Through VPN Tunnel

  1. Shane
    Reply

    Just an FYI, one of the commands after the second to last reboot prevents any connection to the Linux server

    • nbeam
      Reply

      That’s interesting, do you know which command or configuration item is killing the connection? I am wondering if I fat-fingered something somewhere in the write-up. It has been a while since I worked on this. I know when I was testing that VPN connectivity still worked and that the final result was “no split-tunneling” i.e. proxy client machines had all traffic forced through the VPN tunnel. What I am not sure is if I somehow broke SSH connectivity but didn’t realize it because I was working on the machine directly (i.e. not remotely via SSH).

      If you can shed some light on this so I can fix the write-up that would be awesome. Hate to have anyone breaking things on there end 🙂

      Thanks for the heads up!

      • Shane

        Yeah so basically for some reason, doesn’t make sense to me, adding that entry into the iptables and setting the file to load upon restart locks out any connection in, the system i implemented this in is in azure so remote access is the only option, it’s most probably a requirement to add an accept for SSH?

        adding the entry without setting the file to load upon restart doesn’t cause any issues (as far as i can tell haven’t checked thoroughly enough)

  2. Anton Bach
    Reply

    great post, really love it!
    greets, Wilfried

  3. Joe
    Reply

    I did it but start openvpn is failed .
    openvpn-auth-ldap plugin is 2.03 and download using “yum instal openvpn_auth-ldap.x86_84” on Centos 6

  4. RAF
    Reply

    Thanks for this guide. I suggest copy and past attributes from AD directly into “/etc/openvpn/auth/auth-ldap.conf” . This was my issue. Good luck

  5. Adam
    Reply

    This saved me a ton of time. Thanks for taking the time to post it.

  6. RAF
    Reply

    Just wonder is there a way to secure client certificate from being compromised and used from another PC ?

  7. coolthecold
    Reply

    cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

    here should dh1024 should be changed to dh2048 i believe

  8. dataCore
    Reply

    Great article! Helped me a lot! Little supplement: Add the following to your server.config:
    push “dhcp-option DOMAIN fqdn.yourADDomain.com”
    Otherwise a had to use the fullname e.g. servername.fqdn.mydomain.ch to contact my internal infrastructur.

    • nbeam
      Reply

      Thanks! Appreciate the tip as well 🙂 – Sure it will help others. OpenVPN Community Edition is honestly a bit of a bear. I finally gave up and just moved to the paid version (which is relatively cheap vs. other similar solutions) which is like a completely different product from an administrative perspective. The thing I really needed was two-factor authentication and the community edition (at the time) was very hard to get setup with this.

Leave a Reply