OpenVPN on OpenBSD (auth with ldap)

setup

update os and packages and reboot until up to date

syspatch
reboot

pkg_add -u
reboot

install

pkg_add openvpn easy-rsa vim openvpn-ldap-auth
mkdir -p /etc/openvpn/client
chown -R _openvpn: /etc/openvpn

configure pki

alias easyrsa=/usr/local/share/easy-rsa/easyrsa

cd /etc/openvpn/

# specify ${SERVER_NAME} for CN
easyrsa init-pki
easyrsa build-ca nopass
easyrsa build-server-full ${SERVER_NAME} nopass
easyrsa gen-dh

generate tls-auth key

openvpn --genkey secret /etc/openvpn/tc.key

configure openvpn

main openvpn.conf file

port    1194
proto   udp
dev     tun
tun-mtu 1500

ca            /etc/openvpn/pki/ca.crt
cert          /etc/openvpn/pki/issued/${SERVER_NAME}.crt
key           /etc/openvpn/pki/private/${SERVER_NAME}.key
dh            /etc/openvpn/pki/dh.pem

tls-crypt     /etc/openvpn/tc.key

topology      subnet
server        10.8.0.0 255.255.254.0 # a /23 network
keepalive     10 120

client-config-dir /etc/openvpn/client

ifconfig-pool-persist /etc/openvpn/ipp.txt


tls-version-min      1.2
cipher               AES-256-GCM
data-ciphers         AES-256-GCM
ncp-disable # don't negotiate ciphers

max-clients 100

user    _openvpn
group   _openvpn

persist-key
persist-tun

status  /etc/openvpn/openvpn-status.log
verb    4
mute    20

explicit-exit-notify 1

float # allow clients to roam
opt-verify # reject missmatche config

plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
verify-client-cert none
username-as-common-name

additional routes in seperate file (example routing https://ifconfig.co/ throug vpn)

push "route 188.114.97.14 255.255.255.255"
push "route 188.114.96.14 255.255.255.255"

enable openvpn

rcctl set openvpn flags "--config /etc/openvpn/openvpn.conf"
rcctl enable openvpn
rcctl start openvpn

debug if needed

/usr/local/sbin/openvpn --verb 11 --config /etc/openvpn/openvpn.conf

configure pf

#       $OpenBSD: pf.conf
#
# See pf.conf(5) and /etc/examples/pf.conf

set block-policy drop
set skip on lo0

block return   # block stateless traffic
pass           # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
match in all scrub (no-df random-id max-mss 1440)

block log all

match out on egress from (tun0:network) to any nat-to (egress:0)
pass out quick

# ssh
pass in on egress proto tcp from any to (egress) port 22

# openvpn
pass in on egress proto udp from any to (egress) port 1194
pass in on tun0

# check config
pfctl -nf /etc/pf.conf

# apply config
pfctl -f /etc/pf.conf

configure ldap

instal plugin

pkg_add openvpn-auth-ldap

installation shows the following inf

--- +openvpn-auth-ldap-2.0.4p0 -------------------
Add the following to your OpenVPN configuration file:

       plugin /usr/local/lib/openvpn-auth-ldap.so <config>

The config directive must point to an auth-ldap configuration file - a sample
configuration file can be found at:

       /usr/local/share/examples/openvpn-auth-ldap/auth-ldap.conf

add the following to the openvpn.conf

plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

and the ldap.conf will look something like this

<LDAP>
       URL             ldap://${LDAP_SERVER}

       # Bind DN (If your LDAP server doesn't support anonymous binds)
       BindDN          uid=binduser...,dc=net
       Password        SecretPassword

       # Network timeout (in seconds)
       Timeout         15

       # # Enable Start TLS
       # TLSEnable       yes

       # Follow LDAP Referrals (anonymously)
       FollowReferrals yes

       # # TLS CA Certificate File
       # TLSCACertFile   /usr/local/etc/ssl/ca.pem

       # TLS CA Certificate Directory
       TLSCACertDir    /etc/ssl/certs
</LDAP>

<Authorization>
       # Base DN
       BaseDN          "cn=users,...,dc=net"

       # User Search Filter
       SearchFilter    "(uid=%u)"

	   # TBD
       RequireGroup    false

       # <Group>
       #         BaseDN		"ou=Groups,dc=example,dc=com"
       #         SearchFilter    "(|(cn=developers)(cn=artists))"
       #         MemberAttribute member
       # </Group>
</Authorization>

using vpn

the client config

client
dev     tun
proto   udp
remote  ${SERVER_NAME}
nobind
tun-mtu 1500

verb    2
mute    20

persist-key
persist-tun

auth-nocache
auth-user-pass

remote-cert-tls server

cipher  AES-256-GCM

<tls-crypt>
....
</tls-crypt>

<ca>
....
</ca>

sudo openvpn --config client.ovpn

sources

• openvpn remove redirect-gateway: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
• openvpn-ldap-auth: https://kifarunix.com/configure-openvpn-ldap-based-authentication/
• disable need for client cert: https://openvpn.net/community-resources/how-to/#using-username-password-authentication-as-the-only-form-of-client-authentication