Configure OpenVPN Server

Okay, I am just going to lay out a few things here on the front end.
There are two “modes” the OpenVPN server can run int. TAP and TUN – if you want to research the differences you can (they are significant if you have a particular need of one or the other) but as stated at the beginning of this guide, my goal is to get you the most simplistic configuration possible –WITH– active directory authentication. To that end, we are going to be using “TUN” mode as it is, imho, a less involved setup and the overall end-performance should be slightly better.

On my box I opted to use UDP however I am reconsidering switching to TCP. For this tutorial we will stick to UDP though. If you decide to switch to TCP later on, remember you need to, in most cases, add explicit separate firewall rules to allow TCP traffic (if you only opened up UDP ports earlier).

Now… the general method on most tutorials is to have you copy the template server.conf file and edit it. However for simplicity sake I am going to have you go about it a different way.

NOTE:
If you ever need to access the example server.conf it can be found here: usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz (for some reason they compress it, you can uncompress with “gzip -d”)

In one stroke we can create an empty file and start editing it. To do so, use the following:

vim /etc/openvpn/server.conf

VIM should now be open inside of a blank document. Put yourself insert mode in the text editor and copy and paste the following, verbatim, into your document.

#BASIC OPENVPN CONFIGURATION
local 192.168.20.15    #EDIT THIS LINE - ENTER THE IP OF YOUR SERVERS LOCAL INTERFACE THAT WILL SERVE OPENVPN
port 1240   #EDIT THIS LINE - ENTER THE PORT NUMBER YOU ARE GOING TO SERVE OPENVPN ON
dev tun
proto udp
comp-lzo
max-clients 50

#CERTS AND TUNNEL SECURITY
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-128-CBC

#OPENVPN DAEMON SECURITY
ifconfig-pool-persist ipp.txt
user nobody
group nogroup
persist-key
persist-tun

#CONNECTED CLIENT/IP/TRAFFIC CONFIG
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120

#OPENVPN LOGGING
status openvpn-status.log
log-append  openvpn.log
verb 4     #4 is considered standard for this setting, 6 is a bit verbose, 9 is max.
mute 5

#ROUTE ALL TRAFFIC THROUGH TUNNEL
#push "redirect-gateway def1 bypass-dhcp"
#push "dhcp-option DNS 192.168.20.1"

#DISABLE CERT AUTHENTICATION
#client-cert-not-required
#duplicate-cn

#PLUGIN SECTION
#LDAP (Active Directory Authentication) PLUGIN
#plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf

As you can probably see from the above, currently you only need to edit the top TWO lines with your server’s IP and Port for openvpn. This configuration is KNOWN GOOD and will work with the client config I am going to provide on the next page. Go ahead and edit the IP and port numbers and then save and close the file. Then:

chmod 644 /etc/openvpn/server.conf
service openvpn restart

11 comments on: OpenVPN – Microsoft Active Directory Authentication – Force All Traffic Through VPN Tunnel

  1. Shane
    Reply

    Just an FYI, one of the commands after the second to last reboot prevents any connection to the Linux server

    • nbeam
      Reply

      That’s interesting, do you know which command or configuration item is killing the connection? I am wondering if I fat-fingered something somewhere in the write-up. It has been a while since I worked on this. I know when I was testing that VPN connectivity still worked and that the final result was “no split-tunneling” i.e. proxy client machines had all traffic forced through the VPN tunnel. What I am not sure is if I somehow broke SSH connectivity but didn’t realize it because I was working on the machine directly (i.e. not remotely via SSH).

      If you can shed some light on this so I can fix the write-up that would be awesome. Hate to have anyone breaking things on there end 🙂

      Thanks for the heads up!

      • Shane

        Yeah so basically for some reason, doesn’t make sense to me, adding that entry into the iptables and setting the file to load upon restart locks out any connection in, the system i implemented this in is in azure so remote access is the only option, it’s most probably a requirement to add an accept for SSH?

        adding the entry without setting the file to load upon restart doesn’t cause any issues (as far as i can tell haven’t checked thoroughly enough)

  2. Anton Bach
    Reply

    great post, really love it!
    greets, Wilfried

  3. Joe
    Reply

    I did it but start openvpn is failed .
    openvpn-auth-ldap plugin is 2.03 and download using “yum instal openvpn_auth-ldap.x86_84” on Centos 6

  4. RAF
    Reply

    Thanks for this guide. I suggest copy and past attributes from AD directly into “/etc/openvpn/auth/auth-ldap.conf” . This was my issue. Good luck

  5. Adam
    Reply

    This saved me a ton of time. Thanks for taking the time to post it.

  6. RAF
    Reply

    Just wonder is there a way to secure client certificate from being compromised and used from another PC ?

  7. coolthecold
    Reply

    cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

    here should dh1024 should be changed to dh2048 i believe

  8. dataCore
    Reply

    Great article! Helped me a lot! Little supplement: Add the following to your server.config:
    push “dhcp-option DOMAIN fqdn.yourADDomain.com”
    Otherwise a had to use the fullname e.g. servername.fqdn.mydomain.ch to contact my internal infrastructur.

    • nbeam
      Reply

      Thanks! Appreciate the tip as well 🙂 – Sure it will help others. OpenVPN Community Edition is honestly a bit of a bear. I finally gave up and just moved to the paid version (which is relatively cheap vs. other similar solutions) which is like a completely different product from an administrative perspective. The thing I really needed was two-factor authentication and the community edition (at the time) was very hard to get setup with this.

Leave a Reply to Shane Cancel reply

Your email address will not be published. Required fields are marked *