The company I work for has some rather remote offices and we are in the process of virtualizing some of our infrastructure components, particularly our remote domain controllers. I have done a remote DC deployment in one of our other foreign offices and the replication of the Domain took quite a while. In that case, I didn’t realize I would be rebuilding a domain controller in virtual until after I showed up at the office. This time though I know what I am going into. So… the goal? Build the DC here as a Hyper-V VM, export it to an encrypted drive, take it with me, and re-import the VM to the new Hyper-V server I will be putting in on the other side. I realize I will need to make some DNS updates as the AD server’s IP will be changing but, based on what I have read, I think this should go pretty smoothly! Wish me luck!
I am not sure when OpenVPN added multi-factor support to their Access Server but I am thrilled that they did. It must have been recently (within the last few weeks or months) as I was using OpenVPN Access Server about 4 months ago as a temporary solution while my main solution was down and it did not have Multi-Factor built-in. All I have to say is, THANK YOU! (more…)
In a previous post I dealt with setting up an OpenVPN Community Edition server which is the free version of OpenVPN. I had initially hoped to use Authy for two-factor authentication in addition to LDAP but later found out that wasn’t going to work. So now I am looking at using DUO for two-factor authentication and OpenVPN Access Server.
Access Server is the “paid” version of OpenVPN and is significantly easier to install and configure vs. the open-source community edition. The two different products fulfill the same function and rely on the same technology to do so, but the underlying structure of Access Server is significantly different from the community edition.
Just to be clear, if you don’t need two-factor authentication, and don’t mind applying a bit of digital elbow grease, I highly recommend going with the community edition of OpenVPN as it is extremely scalable with no licensing fees. That being said, Access Server is decently economical, especially compared to putting in a hardware device like a Fortigate or Cyberroam UTM box.
This guide assumes you have an Ubuntu 13 box to work with, have full root access, know your way around the linux command-line, and have a basic understanding of networking concepts including VPN.
Let’s dive in!
Before you go any further, if you plan on using LDAP/Microsoft Active Directory, you need to make sure all of the proper ports are open between your Active Directory Domain Controller and your OpenVPN server. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?
After having already gotten a full page into writing a walkthrough (not to mention hours already spent with Authy) I found out that Authy will NOT WORK with OpenVPN and LDAP authentication unless the folks at Authy customize the ldap module for you. Which requires enterprise support, at a retail price of $500/month! Which was quoted to me at a “discounted” rate of $350/month. I really appreciate what the folks at authy are trying to build and they have a decent product on their hands but it was a bit frustrating that they advertise working LDAP authentication when in fact it requires their dev team to get in and hack the code for you. I am now trying DUO with OpenVPN Access Server and hoping for better results… This is not going to be free but will at the least only run us somewhere between $75 – $350/ YEAR… considerably more affordable…
The company I work for is a relatively small shop when it comes to virtualization and especially when it comes to Hyper-V. So that means I am usually working on individual host servers and not doing any kind of grand scale configuration using SCCM or some other enterprise level tool. I think most folks in small-to-medium size businesses with existing infrastructure probably have a similar “use-case scenario” when it comes to Hyper-V.
We use Hyper-V primarily for development and test servers and often enough I get asked to deploy new servers. Now, the way I used to go about doing this was to create a new blank server, new empty VHD file, insert Server 2012 (or 2008 R2 or whatever…) CD/DVD ISO file and install from scratch. In this case, the actual install isn’t all that bad. Server 2012 particularly installs quite quickly. However downloading and installing all of the bloody Microsoft updates can take hours, tack onto that configuring the server for our environment and well, it gets to be a couple hours of work at least.