vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-12-16 10:32:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Configexample: migrate openvpn-ldap to autotest

Browse Source
This commit is contained in:
rebortg 2023-05-10 15:58:06 +02:00
parent 54b34091f4
commit 6c0917208c
8 changed files with 597 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

293
docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.log Normal file
View File

File diff suppressed because one or more lines are too long

265
docs/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.rst Normal file
View File

@ -0,0 +1,265 @@
.. _examples-OpenVPN-with-LDAP:
#################
OpenVPN with LDAP
#################
| Testdate: 2023-05-10
| Version: 1.4-rolling-202304280615
This LAB show how to uwe OpenVPN with a Active Directory authentication backend.
The Topology are consists of:
* Windows Server 2019 with a running Active Directory
* VyOS as a OpenVPN Server
* VyOS as Client
.. image:: _include/topology.png
:alt: OpenVPN with LDAP topology image
Active Directory on Windows server
==================================
The Lab asume a full running Active Directory on the Windows Server.
Here are some PowerShell commands to quickly add a Test Active Directory.
.. code-block:: powershell
# install the Active Directory Server role
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
# install the Active Directory Server role
Install-ADDSForest -DomainName "vyos.local" -DomainNetBiosName "VYOS" -InstallDns:$true -NoRebootCompletion:$true
# create test user01 and binduser
New-ADUser binduser -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true
New-ADUser user01 -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true
Configuration VyOS as OpenVPN Server
====================================
In this example OpenVPN will be setup with a client certificate and username / password authentication.
First a CA, a signed server and client ceftificate and a Diffie-Hellman parameter musst be generated and installed.
Please look :ref:`here <configuration/pki/index:pki>` for more information.
| Add the LDAP plugin configuration file `/config/auth/ldap-auth.config`
| Check all possible settings `here <https://github.com/threerings/openvpn-auth-ldap/blob/master/auth-ldap.conf>`_
.. literalinclude:: _include/ldap-auth.config
:language: none
Now generate all required certificates on the ovpn-server:
first the PCA
.. code-block:: none
vyos@ovpn-server# run generate pki ca install OVPN-CA
after this create a signed server and a client certificate
.. code-block:: none
vyos@ovpn-server# run generate pki certificate sign OVPN-CA install SRV
vyos@ovpn-server# run generate pki certificate sign OVPN-CA install CLIENT
and last the DH Key
.. code-block:: none
vyos@ovpn-server# run generate pki dh install DH
after all these steps the config look like this:
.. code-block:: none
set pki ca OVPN-CA certificate 'MIIFnTCCA4WgAwIBAgIUORUZbBsuy0QupoJFJgXenSJ9AQQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA1MTAxMzQ5MDlaFw0zMzA1MDcxMzQ5MDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQd2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfvO77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51rVYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9len5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJvb5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37X/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyCMlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8Esr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2i/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLqHN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFG1bKeDc0O/cCwaarX59BCMSJDujMA0GCSqGSIb3DQEBCwUAA4ICAQBWI+p8tBzy6CO8ImP5DBQFwnVBv+6T59na2JrEq7nZk0aBITWh9PRp5w+ZOe+cL9jHZEJNoaSjq3/bkF/CSKCIoa0YiZX/MAs4d/EnttRhcudwgTbE6q0tIKDLlxoYI0Gpo7j48W1rPd0FKAc7igy4eQKOwDmqqG9gVmNTyyrT1pVvaic7Ok/c1QmVOEub0f7kW2EA4Zk9+HUVGHYdp3WfOX8QCI5nTrAO6YJrw+d1BUly6krnb7NWDkWarJ51e6TAR1dz4zp++jhNVssEHbLQyA7+HzWnRSbxYndxCPBnoXjQRwx8/3uUubj9l3CDIb1424D0sm8TNslhElD41/Ir1uQ/RRt15O1CKQJg6mpvDtgrOik+vpUMqBDYGQ38XgqzHYV1klCjo5NlNP33TRvlQe9B6LtxzBZvoxBfxYDIheSRdPbKP8DEHZ6z9d0d1Ubo/waExlcrUfBt4bbxNebsx9nuvVl8hl0R0iEInMjN3jaPrSrUEsPcXpBVL+VhzuWG7zTfGGUVIB+5UC/VCiFP+9LPqsfgBvXKIfIlj2dbLJOsoxZrJtXq7Jvdn7NqFo7vR0hw+YIzmnCFAGpTx6yuWpjuf2y5dY48iTfMuP2vUoGRxoO+8wFQONj4psAD524SnOpEwYw+3fuw+P5zC6hT9y4XkZKsEnu6nJjB8T0BlA=='
set pki ca OVPN-CA private key 'MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQd2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfvO77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51rVYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9len5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJvb5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37X/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyCMlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8Esr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2i/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLqHN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABAoICABBB3L90WlxmmlqLMhyMirJWixtzNYxJ8j2As5HsChbmwh1XHKjEehKUuFOtTxuImWKGHsyU/B9n8w474IH5l7rz5CE7rFe46BRCHYWSp/pWav9mWCLxRJi68az9DfifWFKyqYR5fnFovQcVPXlC8FmYXWvQ+OMGRu+gcQ6N+wk75giPEw9rDQHw+kjfRuz/gZmSgTG7jDMc+47AvAnT/DFs9fp+81MmZdcxwpcBdpWl+rFdzDcg3/zrYr3zngekrizvCPLXt8C2r4EdnSkoFHyIIb8s63HwiqmG8Edj2SFIJx0tArw9AE7+9t8BAKSOU+N5eMwDQANUqWU4Gg2Q/bGNX7G8E9nm4/DvGarNjSitVaLeLeJqLxSOz2jmCq1rvi92m4sY42kAhM8JXTfN5KnZOF9TUumm4CbzO1zuP/E8QFQZL2BJCpYKIKJ5fNjDvHMSehodGxYV3nbmfNqQpFq1I33OwDteJf6mjEZVrbF3CutM0+lDXeR+Vhp/6MeuDC4FJ0ZF2Ixpw0o3OBn9Yb808TwAmLgFGycTD1OFujvR0K30fhwJ2HPkUnQmErUWjuCZ/qlohmX7RM3ffioq7LyeeHeSykwrd4v2BJjW711lLvnp1Stfj+xLO1RdbKjh6q8TxJj9+NHAvVguPVNGkvs5o2UAfE1bvFDCd1mSBxFVAoIBAQDTMXs6xE/RcSlecV544Pq0NRYMidO3M2cqox19vxSJf1U2AyPYD5SHeDwyAwMP6cJ4kd8rK4yoXWruKpNSt7BAvy0q0TWBjFsbTRH6aPsE1S9hyIXj3GKoBt6j1SzNiIGsU5V+t0c7JTTCbxnvRNfhFth7Kqymh/37NIDm+iE/HILA/yBfafvQF/a3HsmwdkcvWiZLNIVYMGZsn5G1eNfJw5M7m/15qYBDf6iV2bCuj+VowIDLHh9jGyNyxJ0u906De9w/0wiD50Bm8G31W5dIsz9UzBHBKwTe9Ubnd4cearxqpi0Zc7EBSNJExR8FGeQJ/5QFGWabKLm0VzRbBbHfAoIBAQDQt0WfPgQ5Gw5bfpyYygNi2snFSkkFkf9Ch2SOhWrTLGhmFlhBTdd4wjIUyNKuQe09keKhPBrMc4yMLmSQZTKocry2ydzOqXFq+ECWhVixvbp0nFpH1ClMh5EnabbLcOAQdZyysy7/Lt//L7pKTpFuJrk9TxAzLRa5QG8tussJMNC0xJxCYc+rZ4087JCxOFEwbCArIIqqLQu3CEmURdroniNybHIArAyPyHkbEDvEusuPU/uk7jc94djbM6s2BN9Y8gOWbw7K+swm0NCUH5pend1OHIMlI83SfEjCjFzwrRl+VhcLjRhCW9UXUV36LI1hQ+c9FfGSKPY7oyRu/LEdAoIBAEO/KLeWR8B423tnRJXkHaf3K4aEI/0tqRd9UbWHuS/OP+heo33oqY23XR/x5WaSZwbETGGNy8YqiWWzFKVBNXHfob6Nc+uFuagNVgoM6REIzfVBHOoWRTN/WKYXeRLJikdcXKVUZ64qZj1E5H3jiJi0+mawLsgQ8cFGe18ct9OF8s+0R48z8Uo0lbjyUGKh3n3rHkObqna6t/B6U4RyKk6XxUAm7u27GOEOL2c6eLnWgRHURrxhglIJX5quRXnObUoyTlnO+XlOklMzJyLA6cuxbExoVf2wLhTTe5Y+uoJgXOadPfRfL1WpJYJX9XZucr9eU/46wrZdHw0huDLGpeMCggEAWgwoMor8IXMl352hjF3j1huU39Sr6oZRve9SGBdBvngzVpAfZZVi+Eu4dbUrCFmTNHQjdfLLkRftNHGzm4S9tWVDPA2dgWAjecY/f3FqkczMjBEE9mZ3pvf6TSnT3rQFR7SmdYbPKPOdWqjJ09NP9VkppGTfFWVHn4dIME+d14pDESqeTBmNEmNr0TQzPPKSPLT5sAGrMb6bhk1CCYGV77SCkJRvHxEbnlEcxutbDgaVWnIeaMsJ9F3jRLdnD7hMcECCAb5KgJJxz/FZe/6iiF3NpCyy/CwVWdGbRqxuULwt+o7EBIzMQZ0DM7s8M3pTSPqV4on8HlYj3hkF2AiXlQKCAQEAl/1xRGHZ1yGkX812AVfy4tZaPImhGcM3tQdBvfAIuEWb6veoBC50BoCO6hyO5yEHQWWniSDcueIUNJuRxOHES+UUV0c7JtI5BaTUYiMuFlYoAJoUann9fpMnxRdKKvWNyVg/j4cLjO5jcYVLfQAPGujJyPAPlWvNZYSuRHcIWs+bX1hsv26047gAmOHlxkvgQicD805AX9G02pHTpoYF436HCSneOrUm6z3xKbVJCKsAGgYch67R1rC9Z8USLRB5mKZ8G8LPQRKjgW5bFM8oDUbmcmy56LKQeOEqC59LGClEWoYyR6vMQBXPg7de+2zzQyh+zk1paXHc+s3p4vc7dQ=='
set pki certificate SRV certificate 'MIIFtTCCA52gAwIBAgIUZJNkauiY/nr9YRSXB0LGtSaCay0wDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA1MTAxMzQ5MTlaFw0zMzA1MDcxMzQ5MTlaMFsxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxFDASBgNVBAMMC292cG4tc2VydmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsSiZK5zaOJrtCiWAsQFZaGtbAOM4xzfwW871A/p1cfmEsQ2sso71TVY6j2VHzN+LyZe8nfyUK+tTx0PrkoHaH3e2S4/3hqiPFhedLXffjMEqEfTfYjNLyzFc6Zfmez4UB+ehLlSWlOkhqIUTiWVz7HyI51C68vYkH7jpgkM8AZta98F/SbgvViFZAcrq3Tq8zO/lrd9/8heScYAgmBLxklKXxYW2GDwBFOnbITz/nFSgg8w+Y3pDPOnXe7H0aufI5GK8SvuxNK2Is8g3YvyF9UQwIJPZYy2Pn8Av5i/GHZC0qu/d76+18OdrXELC5dSCyGfqj2DQ/SJXPqlgwgVBqPcp3lhoycD68aGf+uedu6aWUldglYlij8ubxIL8kHnJK32MDoIGq5wDwdKBmknLkt+ja3uOG+9lyjbh40im+u2efkzK0cVBfJzOQQhs0cSbWSjhebsvzFZGg6G3gGhnRo13s2DVJJKm+5VruUFxmRRgTM3TpKz/YZHvtapfyOiTs63ezG/OR1pUk1u2HuFDmfbY4ytAWkJrjK1R9ap9p0t9QenXgHAzPd/GudYnJ3FS0SUrjWswbg5HrhZupjvP3X04pQ0LRfU6VimykyXBeP2qd2wPDGywIQmGG+O0lnWo4GZcwHbFJOq/eGCvMFMWlY+Wvc9bPCCgsFOcn8aM34sCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFFnsRTERh8wQZAHlQE0cvQgINyHmMB8GA1UdIwQYMBaAFG1bKeDc0O/cCwaarX59BCMSJDujMA0GCSqGSIb3DQEBCwUAA4ICAQCY/ZezExvFSXU3Y+vKHlL9AJp25yaVn6MdQmpX/YTM19HQcL64MP2M0uMTUzi0OlG7WP3Ka5wYH+3R++4VLPqygZ5DArFxtv34matKQVTKmf3S+0iVReLqyFBfTlvHBXXce+ksOqyHrg9B0teND7wNmpbL/Dzg41jacZTeWAY+8PShDY5wVFfp3MJt1Lm19nNcMbe/hMeffBY2CQgGx3Lp7YQepxwGhTxf/w2kNBjVUXkXqIGNc9/cQMU+HWnMGTMa1XREXAH9dSM7ME2JD/HKIPNgVkQuXs7AsGCbCTrXfIjEv7/4uSE6cMM/0WoU/Cj2gddnLsHcsrBu0WfoRbeR6+ZCeoDDz5ZRnGkkOXFldRswZRun9gh5MMjcHw3y4zeGm8YwxIDA6GzE03D8ROFrFiCHqylkCy8kSP/B0Uw5Nu8WuQPN6RfX90RMKf+BwHdipqL1g30ILgy6yZ2Geb9zJfwGoN0w1IKesEubJwAXp1iyujwPH+QvvH3HK0p83hyiHpkRqKWs6xTEPdtlDEf+w6bKO67yySIpdSlBGopNmG/1Y5gXheMcIUu152VuwJRxdyld1RmN1vG/5UWZqwO4XZJ8CUO5VWMDtCOOUOIezuquU0d11Lj0cj/bKnHcW6V7YUIWazgJLnrA9aYVfN5ErKWPK+ceQeLf6mhStwLcqA=='
set pki certificate SRV private key 'MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCxKJkrnNo4mu0KJYCxAVloa1sA4zjHN/BbzvUD+nVx+YSxDayyjvVNVjqPZUfM34vJl7yd/JQr61PHQ+uSgdofd7ZLj/eGqI8WF50td9+MwSoR9N9iM0vLMVzpl+Z7PhQH56EuVJaU6SGohROJZXPsfIjnULry9iQfuOmCQzwBm1r3wX9JuC9WIVkByurdOrzM7+Wt33/yF5JxgCCYEvGSUpfFhbYYPAEU6dshPP+cVKCDzD5jekM86dd7sfRq58jkYrxK+7E0rYizyDdi/IX1RDAgk9ljLY+fwC/mL8YdkLSq793vr7Xw52tcQsLl1ILIZ+qPYND9Ilc+qWDCBUGo9yneWGjJwPrxoZ/65527ppZSV2CViWKPy5vEgvyQeckrfYwOggarnAPB0oGaScuS36Nre44b72XKNuHjSKb67Z5+TMrRxUF8nM5BCGzRxJtZKOF5uy/MVkaDobeAaGdGjXezYNUkkqb7lWu5QXGZFGBMzdOkrP9hke+1ql/I6JOzrd7Mb85HWlSTW7Ye4UOZ9tjjK0BaQmuMrVH1qn2nS31B6deAcDM938a51icncVLRJSuNazBuDkeuFm6mO8/dfTilDQtF9TpWKbKTJcF4/ap3bA8MbLAhCYYb47SWdajgZlzAdsUk6r94YK8wUxaVj5a9z1s8IKCwU5yfxozfiwIDAQABAoICAC+4fWX7lua3iNF6X6uObvyLKpTXICS9wz+fxG1BaqB8c4tT4SiqDJa7+wNEZ25e6yMu/e5aqrkX51XeTFcHJm/iidbZ3XXG8uAjFUI5r5yVLdVvbjrgEXMXBW2g7sNU6gVlFgxKWdOb5uajjistCmhx9VjF7M3kkr9+ylu966yNIhhp5XVAqXOcgQLUG6bjGxdjKa3H7gmS4u4y8tS0CaF+IQbiaTYm962f/th5u2rret91xXp7ZSBD5zkZKvsfG4S1uf3Cxa2obxHqhUzjM9xo9UPZP64RCEaieOSbCtVM9PW0rkZRwQM2+zr7es95Co+cOllL3Y/KT9D/xCIPU2uSrVisdqi3TPHOn96GOlYvenIMsIauuR1KI2Ai9H380xVdFUv655eJZ5ASIosr8AL9hOxZNV/VeYHPWajhSa+P6MFZx4jFeXIbxt1BioeL6izbmFdxTgYDAhjZGWw2irnBuIcM6j8r6xom0Nfa8SbTgkf3M4yjYk4MP+rkCW8jhpZMqcvQPpWCbq5HEgNIKBrxkQo87Rphocn4KuxZ70lTpPE/4iOABadqreLPYqp9VTd5bvApKCdFZdnF9DdoHUBpDbNqbj85W8E2WMCJBrZZfTUIV05klQ0JM1cbQXyRz1BwhvuGDxEP2nQRQYbWeBfbDg0tXBuIwOZqIp9Om/kVAoIBAQDEwjW8YDAjKbgOvcd18pGG7E8xB6s0Tpo3AKvOezg4Z1yWeCx4eM6kKXxsHBAHb1fpxL0mkDusr0NgZyW4EuTl+EdQHu0i03YfayfLMSKLPtcqtamyPlCsRnHw6TdfblRfVk5URpF656M6fIKXokc/4yhYOCAWGHPQWgZpWeOlWtTMKRiDqJGO+VbRw8rNBcq5i7hnvH8ESLQrwS4EIOVvmdypod4UpML26EEfNKJD2zaMLaMMqbMGt/q/HUIcB+PRgV0oaM4HB59DNrdFbeZuU3PEXofU9uYFiv1MJzzfVPVBKjEXuqUDe0R5Op4K0KasdqQop5Oh55NxGxb1JttvAoIBAQDmf6c/xz1hjfOTGxZydgD210GVYEFB2EdZnn47TuNXOjPFk8FRva6qU6txezU7DmF356jE0NlAWgD6SoFtpqSKbrxrvxPjGHOYS3fXHD6FK9vlv3jqcoiQBPy2KP59wpkIpcQ+gKqgR/nfaWvfOb3IfqER6QtqvSxK5hInbj6xcZ32cCeSAEG0EH5Mh3DiMuctwZY/l1PKCvt0fn5N0KBvLMCTZBkqQcTL635yLMgDs0PtkKzf8k2FjCjkXZ4nYoQcZ41/bzfnxjitzGiSYp6V/Oq71ZKjjNyjEBOoFRXY1THVpONc1Afct2j54p74mKxcKZaGF2Df7xszvf3TgR+lAoIBAG95QIyLSnqBhmADsV/nn/97Hpq+p4apCcIjxTLkqMN7+/7b8wYGG7zyLCXr+EDeGka9ShTxHn4Fhfy2M66INdr8wRppixxyBbhjM1ZxbgrJ/YmbBpuPppEUEDXXS6Hrli21bgddO8sQNXBLXomeTROrFQ52LeeWzva6KmvBm7HxNiK9HcBp3p3MMh4B+YISx/o7aKyNJME+l6U6e2GnaZXC7DvHE1VKy5Krn0mYvl4Hcm4U5Q2lj2I9Ffj1EKFk7vOhgTAFwMRG0zp3Y3oYe7cB3NLiY76Ka2O0jTF6AYjeT10uFEZHXnoMeozcYvHpqKSJSxQlbQULeINaP7WA4E0CggEADy4A+bZJWI9cpyd1hvw2fAsZCplYMtnneQNzFLzRRAFVP4HHjXaMdjMka0jN7KG50Ye0GaIXbKGAxvr5IxuCYouAZSgkSyRlGHZ/4e6+P07wIGVHtUjtrW5mpih0+htCsMsZ7XPTyNJ0pj3vGLhYw0dznBZY5iKnNBeKwoYEIvN0j7I7KOZTbWRYrPmOeZcYmm7RUkbJAdlPThC2iLFgn3G3DP3emmXSbAuKPEKuuW+o3ZBVkjoG2PCuELwJmlZmlOhM7UOJzv3C5c88Y8eS4hXR76TVD2hLb4GzibI5yhngOk2tm4NrMSHzC+Hczkpfr4Ido58OhjDc/b9ZZABw8QKCAQEAlJNCdC5rFwg7AoHfobbRnpYjs+avaLUj6EV0AAqbSFM3+o3UVOxRGkbHqLm4DqcRRyMoRXxgeKFx5dInK9rrVGRaoTzE7c/Atp2N7SXgodz3jrcPhTHqF1Z4eBjbwvNPumYK7N2U8PtV4OTvihUSpPRN0IgPuGvo9OFVuKenag1rDu1pZlxOQ2uuiostAkdZ6qS45tf0rjCjcpq1DYqgVm785GXCgBMZATZyLzg4nhDpoKWIZevFFCek1CAO7s9X1kHUin/uDutX/lvWMed8TpP0yD7IZ6yh3CYD2Nus+8P3Mla6lMrwyY1VJzq7wXGr9P6u47tUcCgjyRT24EHjlg=='
set pki certificate CLIENT certificate 'MIIFsDCCA5igAwIBAgIUXOnWUTwh0zWkUX+LTlftlfkEGqAwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA1MTAxMzQ5MjhaFw0zMzA1MDcxMzQ5MjhaMFYxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJgTHdmee0dFlbohSBF+Xy8XjWpCKnfXGNgr9JgU9+lzQ8SR+Z83XcRocvJXasSf4gDZK05pGhyXTx9KzTaYAZi1ZCK4pZ1fXZ+TdHgThLdLW7h/xDF3WU0omydCGiBkua3kldcRfhPnBYrWZwvHkeUOYNybRezM/fIGpnp74+YBXybGZ8YRLmRhc/j1QDJt0DLvVxfb6YkfU/vuSLnPtu40Ye/EsOhuPcStC9Mmctxx3msZH417z2wWQNvY926ZUQCXophkkhNA3kxUcz+gdV5ECCO+KPa7r305olFgv7c4KSNih7MmYBEyKMS7pA+CF9etEJs3VmHT9avGtKvDMW8XhoqpxTWQ15CNaEFGTxCejPuI+nFCoqtAN9Y9O/A6rsLuM6EuaDX2qjSUfDMnUVVclE7yL8JDZEOQZw970Mi+TnhbXfYEyvX8HJLk4Vg2JUc67jTDRiQfgWuJHiaPyrYX2ssP8LU/oOis638mHo+7YpJCSeqF0R4m6lSiQJNOz8knawp40Uu1iA9RqQrYT8MRt2quCRn2aUolvRmNB4dHS/2TUdHChBdDxylLzbFtZLkCiWwKKNvu3ZjxMua2AjYe904r+S4duow4MxfKUFsoMY6GlscGeReMXJVVx2i+580wF/tn+3k/9PUS90FoFhQCidfxib/Eo4rOT03awPGBAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBTTt3dGY9D07BI8V/0QmVI25bC+gDAfBgNVHSMEGDAWgBRtWyng3NDv3AsGmq1+fQQjEiQ7ozANBgkqhkiG9w0BAQsFAAOCAgEAKz+MT9JlvwUope8xrUuf+6s/fyiAvmQfGOAN6aBVyxO1+ZIAau6CXGJ9/MaJKF/Ju+V2zTpBVz2bFNxPHceY1z9rtQb0l+CG4elcsQY4vhouvDH+HoI8rP/jzFD25zsUmAlMaTZuLWU4WnVT2WhO5X1GZFKl5fT8ulyLx3rcb/CaiC6Kg+yi/tktFgpyWyjTMSVp9QBGYRudKVwKx585nb5a5Z+uLYBmYcYrRQvLWSQKGLb84qE8gOfek47FZCfoh7rlLpt8prFIW60xEarR4Ul/1xhs+2AqMw3mHuQrIxJgHvKoQHBkS/RadsRWglWasE0qm09BtoLeso1hZIXO2O830jXOYEZEuhE63iIHxBZUEUpurXt6he/IBL1l8UuRM6ArHtDo2awlnWlLUz34e1pSzLAtSfS9Iop+zxt/UDQtMCW/a2MQGB7m/kgCtICC0p8QsuGa8k/+SQOtTI1VAj/dJ2O5XFhfFYgDtT/XXa6o3nEmWW+KTtggcvGIyP0Huxq+6ShxrwKkXI0nWVffhVafcIkJnsUYTJu+Cx4KpilKV6+lzRQhK7UHfS0hErs0UQoZA4Fpz2uWukNe2fezl0IJThWPklGKOYriZyKb4i81i3occ1+9YpzKUrBD2ZI+t0Exp73/cfuQbiCOiIu80S44myiZMfD2OPvjR0lBSoE='
set pki certificate CLIENT private key 'MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCYEx3ZnntHRZW6IUgRfl8vF41qQip31xjYK/SYFPfpc0PEkfmfN13EaHLyV2rEn+IA2StOaRocl08fSs02mAGYtWQiuKWdX12fk3R4E4S3S1u4f8Qxd1lNKJsnQhogZLmt5JXXEX4T5wWK1mcLx5HlDmDcm0XszP3yBqZ6e+PmAV8mxmfGES5kYXP49UAybdAy71cX2+mJH1P77ki5z7buNGHvxLDobj3ErQvTJnLccd5rGR+Ne89sFkDb2PdumVEAl6KYZJITQN5MVHM/oHVeRAgjvij2u699OaJRYL+3OCkjYoezJmARMijEu6QPghfXrRCbN1Zh0/WrxrSrwzFvF4aKqcU1kNeQjWhBRk8Qnoz7iPpxQqKrQDfWPTvwOq7C7jOhLmg19qo0lHwzJ1FVXJRO8i/CQ2RDkGcPe9DIvk54W132BMr1/ByS5OFYNiVHOu40w0YkH4FriR4mj8q2F9rLD/C1P6DorOt/Jh6Pu2KSQknqhdEeJupUokCTTs/JJ2sKeNFLtYgPUakK2E/DEbdqrgkZ9mlKJb0ZjQeHR0v9k1HRwoQXQ8cpS82xbWS5AolsCijb7t2Y8TLmtgI2HvdOK/kuHbqMODMXylBbKDGOhpbHBnkXjFyVVcdovufNMBf7Z/t5P/T1EvdBaBYUAonX8Ym/xKOKzk9N2sDxgQIDAQABAoICAA4nLuhOc620TOHn1nCEwNbXcjQfi7R5VcwXxymr2RvzO/oPr3PBPN5Nh2+FC20L1J/i/KdNaJgDMvw4EEI49ZXg2wlqNhIGSpnSQnNcaaxML9fLa31CqZJ6dkbtXXro6BwsqA9Xuh9sqQ585rxpBFIVIcmjDJs9w5KVsNyF92jnQfpDWjjlgQ2BjlmiRY+/IMwxi/r7kgM1FOVfWon3sJ0AGtWsPUSpSEfFTR9UUDmyjt8lYiASRw5WdQ6g5WJExyeiQe69FjIDH803Yz4Nym6NliGLDjGF646tevnoFaxqsyI8BmITbu4BK48nrkMG05fUeQIURw6Cu5xf7JE7Vzgy7mBwujtkEuRmXz9LsJTaWt5I/sXDUh0Uwe0BGYj5O+8MB7yzQFBjhv6pLJZdySSVgSlmupbwtY2BcV48KuvPkzKngHXR8jA6p8XAQV2Xq2njQLsOKJrgEhbIp99h61ao5K6gtW056hSN4q01YA00JQZGKZRviUOuQGP71SNDPCl3uvvElVwBFtfEYV12VzFKye1fF2CcRThCEML91Qo/IueqrNEBVQHxnCO7R5uwKSkXZNJ5pNArMsAdMfLzXApDF3Dcctz/C9I0RG18EdtoW4RjPxEZ1wXHGVkvCpUCwNImsvxWOy78klnfEUyKtOCMdnn1flp0CiZzjGAMSiGbAoIBAQC9ZpY4XZ4v68KnaHyiqKjNQDU64wrONGK1XrMSwOl5a6Cg8S3n3d51E2AguFKilKZ1LJ721WGdEIO4+J9nFKvXYUSCl711cCh+njyaE3a9H6louFVZ2X3NxjLUSJtqUyBEOE/NzNxhTt9BoiiR3cKUmhLLlYkHmLnqBv3jw4Trl/rU3rDemAf6zOB0eXKM946qjQpfB2LsokCWWsOhnT1XBcSEvkHvSrWv4EH/6IDFAROBGtlCW2C8BiosRdpj8thsdnW1lvGAvHs27nLMXz3/NNBX03dlA8YRaelml0EDo0IwrXI7/u4Zy8wL3gfn/NPr0ST3jXz9K8nxvohPxwcfAoIBAQDNjIZs/HT6Y2rTMH++rC3ZNfLUm/3aNsVl1TB8nkEvfBQHU5HEyqqeE4d/b3+7bRwWhVpfNHLerMV8qNr8iAjvpeL5nvnmUPHLT0CpsI+wUvOlnluHGsCfyLWDNVBPcDL10scediYMkKGJGiQSbl355JbIrYxA5AgA7qUGcLQ7mGmwzXyJgmBMOJbDyYvoezh4iogWxC4Clh834UgmGWJp2Bi20VuqF00HClN+z1QELQN2Pu2SVK5XTlfXmuYHc3Bi1xvD2KaLyqT2BtWVRS9RDG0LOzgOAnG9Mx7SEtPAnRhpydx28HWEwGaFKas6QaIuDo92Blpo40ti2Yav4hNfAoIBAQC0m0SYDz2u+KQvuwVOnoII5zdbJfHB3FZcGSettGNus2EC17ksp3dgMM+zo9C41AM/LQOQ4L0qZvsUwZBPXXjX8xq/ZS7287LJut6TFgheI/kJsO1CtpCuTldd8raw1v+nzgLbfoSQDgP6tET3g33u8lUF6Vw38D0omu4z6NexSMWZg5kpSdQiJofKyZygK9jRbZj8MTD18WqhdX+jdyts9kUFR9/b7WP/iFunSfCw62vL6uxNyJEf+sjwWtP8BzC1jOiF9p/oYNMl+I9jr1aRK62YckAiBU00gchdWdJXQ7D0dhC+gURPOPUkQ99KKt9yuYcEwNj1GnKBoWyelm2FAoIBAHoj2bEjZuNudgjeVdpYd7oNm6kItJSZXT0ArJowc62ivkgIOaNFhpL+KdLoz27xC/K59RSDlwqIgaVstQvATgcRfMk11WstiDB2fIcY2pk9AXjVm6+xjuqjmnBIGtvJYQ6/3ABW1o861jIg7XRiTsdyNMM0lRXuKm9bX4ZvLDoJfCxKPol7hntkWPooZlGT/t9p+ioFEw4IZK6Q2I2DIf6hITZpO13cELJxSWIeEt+UW+1EwWjllt9cN0hvy+Z7iznAdsgukfCZTuK+9uWHQfGYP6ef3dQ9UZbKrLLJ6zgWYW5jO/UVN8/VgFX6h7vLSnKxxj+s0MZo4d/wQF99KGMCggEACAWOCIerQRC51zo8eXOB65mmpR0nX/VuWCZw4uIo5tVZ47JskPIH9MTyd/OLbHDa3esJjmZawSl0lI0j7p/yY+J9TEJyOCUU9PCDUw+BeJ39/VqW/fyBn8gI1cC3BnPkDf2HnbgHxaCP37sy/aHs7Xn/bNDaLksEDWDblFCQ5tYqGbZhxUNnsx2x3z/aYJVmx0lkKXSA+8rKeAk+OnDHUjlJjpRIcAsQJE6Ni+2cHbYygVPXiFbbKk+2ekNwYkhMZ+DP+t+uY5ZRfwq0jjIrh+5fyw26yG9PoXspGoqPCTcQ9BEqU88J6ziFrxWXbmsYdR1dnKCZXcKJVKqJIFCnyg=='
set pki dh DH parameters 'MIIBCAKCAQEArXG91W69LiDsmnDvXjXl9eJzEY0f/SLuipxqYRYdplgWbD3IQlMBtp66onNrb11ZVJa0jkddq3qJbJPZ4mTkb+wGH2bpdAgWx48k+c/JCBSF56NoAHLUhn/+UWHvzfOQOLYVJD4maTxWw4f9WlInANS/B/BQY+Z7zWuEX2F5dnBij5hlMHwgRxq86m4Wm3WNXyux4plVqtW0Htrm0Cl5m+SV04bDA4D5SK22hW8L4FnnPQmlzBb1nRdpolw6SdZKs/bgSfV2wGMfe3Yh0afdOLg5AI2sfgAl/7fCPOXUwaDuqSOkXAEnGqzD+XbuMdJ7947HMumODkOty5j3ysn/hwIBAg=='
Once all the required certificates and keys are installed, the remaining
OpenVPN Server configuration can be carried out.
.. literalinclude:: _include/ovpn-server.conf
:language: none
Client configuration
====================
One advantage of having the client certificate stored is the ability to create the client configuration.
.. code-block:: none
vyos@ovpn-server:~$ generate openvpn client-config interface vtun10 ca OVPN-CA certificate CLIENT
save the output to a file and import it in nearly all openvpn clients.
.. code-block:: none
client
nobind
remote 198.51.100.254 1194
remote-cert-tls server
proto udp
dev tun
dev-type tun
persist-key
persist-tun
verb 3
# Encryption options
keysize 256
comp-lzo no
<ca>
-----BEGIN CERTIFICATE-----
MIIFnTCCA4WgAwIBAgIUORUZbBsuy0QupoJFJgXenSJ9AQQwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
MzA1MTAxMzQ5MDlaFw0zMzA1MDcxMzQ5MDlaMFcxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCsL2Xui58HXpl+jreqRxYfNDx1ER7umJ0iPw2dyBuJhP1Hy7vlwyZRvdRQ
d2AexK1BU2lTkYMWh58BU/dxmnnVhfwr34wUYP6Cs10tKhOxTNj/87wfCBU1sCfv
O77lPSNP9q/Ad7ZCF3K5Aruc6yO7i8Kx5mR9wysgNaVQQWCsZHKB91ZsviIsK51r
VYNxF9WDxAP0Ms0pO/faSAFf70JbMG2jvRTAgQJ/+R+XXB/Rvg3cJrTYeSeFn+9l
en5N4HQgraw3tq/OLePYaZBew7a+GZ7YRsVdJbwq2Ch5lRN/jZxAyv4WJoMNEGJv
b5I8pj/F3ECg6NcEmXaSnRXIO6eaq1v/huIsxNnWT9ns+/JB7OBDmZ88iMKP9z37
X/AMwLKhcqjMGE9tR8zOMld2vqNgk6bhBzz28WJ6FT3bI30RT2fq+mnvS7rVFVyC
MlruRg8jIkwa0sictXsO8rl+5i1L+44DC+L7YIlGykAMhc+V1AD3nXRz6sQH6O8E
sr5hS2t3zEjcQ/jN0amlAKs8KLPaYh+Ui0E1gx0H7wGfVEVQ48IweIrRrZ0h9BG2
i/9eHaM0kQjUP+I+P00dP6LdOawLWhzNQ8+9ES+1EAP088XpKK4jw9m+o6goqaLq
HN0QBrfW8wSyMFE4wYin3dYGcykWqyx6Up14DGbF0iBCKSRVQwIDAQABo2EwXzAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFG1bKeDc0O/cCwaarX59BCMSJDujMA0G
CSqGSIb3DQEBCwUAA4ICAQBWI+p8tBzy6CO8ImP5DBQFwnVBv+6T59na2JrEq7nZ
k0aBITWh9PRp5w+ZOe+cL9jHZEJNoaSjq3/bkF/CSKCIoa0YiZX/MAs4d/EnttRh
cudwgTbE6q0tIKDLlxoYI0Gpo7j48W1rPd0FKAc7igy4eQKOwDmqqG9gVmNTyyrT
1pVvaic7Ok/c1QmVOEub0f7kW2EA4Zk9+HUVGHYdp3WfOX8QCI5nTrAO6YJrw+d1
BUly6krnb7NWDkWarJ51e6TAR1dz4zp++jhNVssEHbLQyA7+HzWnRSbxYndxCPBn
oXjQRwx8/3uUubj9l3CDIb1424D0sm8TNslhElD41/Ir1uQ/RRt15O1CKQJg6mpv
DtgrOik+vpUMqBDYGQ38XgqzHYV1klCjo5NlNP33TRvlQe9B6LtxzBZvoxBfxYDI
heSRdPbKP8DEHZ6z9d0d1Ubo/waExlcrUfBt4bbxNebsx9nuvVl8hl0R0iEInMjN
3jaPrSrUEsPcXpBVL+VhzuWG7zTfGGUVIB+5UC/VCiFP+9LPqsfgBvXKIfIlj2db
LJOsoxZrJtXq7Jvdn7NqFo7vR0hw+YIzmnCFAGpTx6yuWpjuf2y5dY48iTfMuP2v
UoGRxoO+8wFQONj4psAD524SnOpEwYw+3fuw+P5zC6hT9y4XkZKsEnu6nJjB8T0B
lA==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIFsDCCA5igAwIBAgIUXOnWUTwh0zWkUX+LTlftlfkEGqAwDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0y
MzA1MTAxMzQ5MjhaFw0zMzA1MDcxMzQ5MjhaMFYxCzAJBgNVBAYTAkdCMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5
T1MxDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAJgTHdmee0dFlbohSBF+Xy8XjWpCKnfXGNgr9JgU9+lzQ8SR+Z83XcRocvJX
asSf4gDZK05pGhyXTx9KzTaYAZi1ZCK4pZ1fXZ+TdHgThLdLW7h/xDF3WU0omydC
GiBkua3kldcRfhPnBYrWZwvHkeUOYNybRezM/fIGpnp74+YBXybGZ8YRLmRhc/j1
QDJt0DLvVxfb6YkfU/vuSLnPtu40Ye/EsOhuPcStC9Mmctxx3msZH417z2wWQNvY
926ZUQCXophkkhNA3kxUcz+gdV5ECCO+KPa7r305olFgv7c4KSNih7MmYBEyKMS7
pA+CF9etEJs3VmHT9avGtKvDMW8XhoqpxTWQ15CNaEFGTxCejPuI+nFCoqtAN9Y9
O/A6rsLuM6EuaDX2qjSUfDMnUVVclE7yL8JDZEOQZw970Mi+TnhbXfYEyvX8HJLk
4Vg2JUc67jTDRiQfgWuJHiaPyrYX2ssP8LU/oOis638mHo+7YpJCSeqF0R4m6lSi
QJNOz8knawp40Uu1iA9RqQrYT8MRt2quCRn2aUolvRmNB4dHS/2TUdHChBdDxylL
zbFtZLkCiWwKKNvu3ZjxMua2AjYe904r+S4duow4MxfKUFsoMY6GlscGeReMXJVV
x2i+580wF/tn+3k/9PUS90FoFhQCidfxib/Eo4rOT03awPGBAgMBAAGjdTBzMAwG
A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC
MB0GA1UdDgQWBBTTt3dGY9D07BI8V/0QmVI25bC+gDAfBgNVHSMEGDAWgBRtWyng
3NDv3AsGmq1+fQQjEiQ7ozANBgkqhkiG9w0BAQsFAAOCAgEAKz+MT9JlvwUope8x
rUuf+6s/fyiAvmQfGOAN6aBVyxO1+ZIAau6CXGJ9/MaJKF/Ju+V2zTpBVz2bFNxP
HceY1z9rtQb0l+CG4elcsQY4vhouvDH+HoI8rP/jzFD25zsUmAlMaTZuLWU4WnVT
2WhO5X1GZFKl5fT8ulyLx3rcb/CaiC6Kg+yi/tktFgpyWyjTMSVp9QBGYRudKVwK
x585nb5a5Z+uLYBmYcYrRQvLWSQKGLb84qE8gOfek47FZCfoh7rlLpt8prFIW60x
EarR4Ul/1xhs+2AqMw3mHuQrIxJgHvKoQHBkS/RadsRWglWasE0qm09BtoLeso1h
ZIXO2O830jXOYEZEuhE63iIHxBZUEUpurXt6he/IBL1l8UuRM6ArHtDo2awlnWlL
Uz34e1pSzLAtSfS9Iop+zxt/UDQtMCW/a2MQGB7m/kgCtICC0p8QsuGa8k/+SQOt
TI1VAj/dJ2O5XFhfFYgDtT/XXa6o3nEmWW+KTtggcvGIyP0Huxq+6ShxrwKkXI0n
WVffhVafcIkJnsUYTJu+Cx4KpilKV6+lzRQhK7UHfS0hErs0UQoZA4Fpz2uWukNe
2fezl0IJThWPklGKOYriZyKb4i81i3occ1+9YpzKUrBD2ZI+t0Exp73/cfuQbiCO
iIu80S44myiZMfD2OPvjR0lBSoE=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCYEx3ZnntHRZW6
IUgRfl8vF41qQip31xjYK/SYFPfpc0PEkfmfN13EaHLyV2rEn+IA2StOaRocl08f
Ss02mAGYtWQiuKWdX12fk3R4E4S3S1u4f8Qxd1lNKJsnQhogZLmt5JXXEX4T5wWK
1mcLx5HlDmDcm0XszP3yBqZ6e+PmAV8mxmfGES5kYXP49UAybdAy71cX2+mJH1P7
7ki5z7buNGHvxLDobj3ErQvTJnLccd5rGR+Ne89sFkDb2PdumVEAl6KYZJITQN5M
VHM/oHVeRAgjvij2u699OaJRYL+3OCkjYoezJmARMijEu6QPghfXrRCbN1Zh0/Wr
xrSrwzFvF4aKqcU1kNeQjWhBRk8Qnoz7iPpxQqKrQDfWPTvwOq7C7jOhLmg19qo0
lHwzJ1FVXJRO8i/CQ2RDkGcPe9DIvk54W132BMr1/ByS5OFYNiVHOu40w0YkH4Fr
iR4mj8q2F9rLD/C1P6DorOt/Jh6Pu2KSQknqhdEeJupUokCTTs/JJ2sKeNFLtYgP
UakK2E/DEbdqrgkZ9mlKJb0ZjQeHR0v9k1HRwoQXQ8cpS82xbWS5AolsCijb7t2Y
8TLmtgI2HvdOK/kuHbqMODMXylBbKDGOhpbHBnkXjFyVVcdovufNMBf7Z/t5P/T1
EvdBaBYUAonX8Ym/xKOKzk9N2sDxgQIDAQABAoICAA4nLuhOc620TOHn1nCEwNbX
cjQfi7R5VcwXxymr2RvzO/oPr3PBPN5Nh2+FC20L1J/i/KdNaJgDMvw4EEI49ZXg
2wlqNhIGSpnSQnNcaaxML9fLa31CqZJ6dkbtXXro6BwsqA9Xuh9sqQ585rxpBFIV
IcmjDJs9w5KVsNyF92jnQfpDWjjlgQ2BjlmiRY+/IMwxi/r7kgM1FOVfWon3sJ0A
GtWsPUSpSEfFTR9UUDmyjt8lYiASRw5WdQ6g5WJExyeiQe69FjIDH803Yz4Nym6N
liGLDjGF646tevnoFaxqsyI8BmITbu4BK48nrkMG05fUeQIURw6Cu5xf7JE7Vzgy
7mBwujtkEuRmXz9LsJTaWt5I/sXDUh0Uwe0BGYj5O+8MB7yzQFBjhv6pLJZdySSV
gSlmupbwtY2BcV48KuvPkzKngHXR8jA6p8XAQV2Xq2njQLsOKJrgEhbIp99h61ao
5K6gtW056hSN4q01YA00JQZGKZRviUOuQGP71SNDPCl3uvvElVwBFtfEYV12VzFK
ye1fF2CcRThCEML91Qo/IueqrNEBVQHxnCO7R5uwKSkXZNJ5pNArMsAdMfLzXApD
F3Dcctz/C9I0RG18EdtoW4RjPxEZ1wXHGVkvCpUCwNImsvxWOy78klnfEUyKtOCM
dnn1flp0CiZzjGAMSiGbAoIBAQC9ZpY4XZ4v68KnaHyiqKjNQDU64wrONGK1XrMS
wOl5a6Cg8S3n3d51E2AguFKilKZ1LJ721WGdEIO4+J9nFKvXYUSCl711cCh+njya
E3a9H6louFVZ2X3NxjLUSJtqUyBEOE/NzNxhTt9BoiiR3cKUmhLLlYkHmLnqBv3j
w4Trl/rU3rDemAf6zOB0eXKM946qjQpfB2LsokCWWsOhnT1XBcSEvkHvSrWv4EH/
6IDFAROBGtlCW2C8BiosRdpj8thsdnW1lvGAvHs27nLMXz3/NNBX03dlA8YRaelm
l0EDo0IwrXI7/u4Zy8wL3gfn/NPr0ST3jXz9K8nxvohPxwcfAoIBAQDNjIZs/HT6
Y2rTMH++rC3ZNfLUm/3aNsVl1TB8nkEvfBQHU5HEyqqeE4d/b3+7bRwWhVpfNHLe
rMV8qNr8iAjvpeL5nvnmUPHLT0CpsI+wUvOlnluHGsCfyLWDNVBPcDL10scediYM
kKGJGiQSbl355JbIrYxA5AgA7qUGcLQ7mGmwzXyJgmBMOJbDyYvoezh4iogWxC4C
lh834UgmGWJp2Bi20VuqF00HClN+z1QELQN2Pu2SVK5XTlfXmuYHc3Bi1xvD2KaL
yqT2BtWVRS9RDG0LOzgOAnG9Mx7SEtPAnRhpydx28HWEwGaFKas6QaIuDo92Blpo
40ti2Yav4hNfAoIBAQC0m0SYDz2u+KQvuwVOnoII5zdbJfHB3FZcGSettGNus2EC
17ksp3dgMM+zo9C41AM/LQOQ4L0qZvsUwZBPXXjX8xq/ZS7287LJut6TFgheI/kJ
sO1CtpCuTldd8raw1v+nzgLbfoSQDgP6tET3g33u8lUF6Vw38D0omu4z6NexSMWZ
g5kpSdQiJofKyZygK9jRbZj8MTD18WqhdX+jdyts9kUFR9/b7WP/iFunSfCw62vL
6uxNyJEf+sjwWtP8BzC1jOiF9p/oYNMl+I9jr1aRK62YckAiBU00gchdWdJXQ7D0
dhC+gURPOPUkQ99KKt9yuYcEwNj1GnKBoWyelm2FAoIBAHoj2bEjZuNudgjeVdpY
d7oNm6kItJSZXT0ArJowc62ivkgIOaNFhpL+KdLoz27xC/K59RSDlwqIgaVstQvA
TgcRfMk11WstiDB2fIcY2pk9AXjVm6+xjuqjmnBIGtvJYQ6/3ABW1o861jIg7XRi
TsdyNMM0lRXuKm9bX4ZvLDoJfCxKPol7hntkWPooZlGT/t9p+ioFEw4IZK6Q2I2D
If6hITZpO13cELJxSWIeEt+UW+1EwWjllt9cN0hvy+Z7iznAdsgukfCZTuK+9uWH
QfGYP6ef3dQ9UZbKrLLJ6zgWYW5jO/UVN8/VgFX6h7vLSnKxxj+s0MZo4d/wQF99
KGMCggEACAWOCIerQRC51zo8eXOB65mmpR0nX/VuWCZw4uIo5tVZ47JskPIH9MTy
d/OLbHDa3esJjmZawSl0lI0j7p/yY+J9TEJyOCUU9PCDUw+BeJ39/VqW/fyBn8gI
1cC3BnPkDf2HnbgHxaCP37sy/aHs7Xn/bNDaLksEDWDblFCQ5tYqGbZhxUNnsx2x
3z/aYJVmx0lkKXSA+8rKeAk+OnDHUjlJjpRIcAsQJE6Ni+2cHbYygVPXiFbbKk+2
ekNwYkhMZ+DP+t+uY5ZRfwq0jjIrh+5fyw26yG9PoXspGoqPCTcQ9BEqU88J6ziF
rxWXbmsYdR1dnKCZXcKJVKqJIFCnyg==
-----END PRIVATE KEY-----
</key>
Monitoring
==========
If the client is connect successfully you can check the output with
.. code-block:: none
vyos@ovpn-server:~$ show openvpn server
OpenVPN status on vtun10
Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since
----------- ------------------ ----------- ------------------- ---------- ---------- -------------------
client 198.51.100.1:40297 10.23.1.6 198.51.100.254:1194 4.8 KB 4.8 KB 2023-05-10 13:52:01

10
docs/configexamples/autotest/OpenVPN_with_LDAP/_include/client.conf Normal file
View File

@ -0,0 +1,10 @@
set interfaces ethernet eth1 address '198.51.100.1/24'
set interfaces openvpn vtun1 mode client
set interfaces openvpn vtun1 remote-host 198.51.100.254
set interfaces openvpn vtun1 remote-port 1194
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 tls certificate CLIENT
set interfaces openvpn vtun1 tls ca-certificate OVPN-CA
set interfaces openvpn vtun1 authentication username 'user01'
set interfaces openvpn vtun1 authentication password 'P4ssw0rd123'

13
docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ldap-auth.config Normal file
View File

@ -0,0 +1,13 @@
<LDAP>
URL ldap://192.168.1.10
BindDN bind_user@vyos.local
Password P4ssw0rd123
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "DC=vyos,DC=local"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>

15
docs/configexamples/autotest/OpenVPN_with_LDAP/_include/ovpn-server.conf Normal file
View File

@ -0,0 +1,15 @@
set interface ethernet eth1 address '192.168.1.1/24'
set interface ethernet eth2 address '198.51.100.254/24'
set interfaces openvpn vtun10 local-host '198.51.100.254'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server push-route '192.168.1.0/24'
set interfaces openvpn vtun10 server subnet '10.23.1.0/24'
set interfaces openvpn vtun10 tls ca-certificate OVPN-CA
set interfaces openvpn vtun10 tls certificate SRV
set interfaces openvpn vtun10 tls dh-params DH
set protocols static route 10.1.1.0/24 interface vtun10

BIN
docs/configexamples/autotest/OpenVPN_with_LDAP/_include/topology.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

2
docs/configexamples/index.rst
View File

@ -18,7 +18,6 @@ This chapter contains various configuration examples:
pppoe-ipv6-basic
l3vpn-hub-and-spoke
inter-vrf-routing-vrf-lite
openvpn-ldap
qos
segment-routing-isis
nmp
@ -52,3 +51,4 @@ The process will do the following steps:
autotest/tunnelbroker/tunnelbroker
autotest/L3VPN_EVPN/L3VPN_EVPN
autotest/Wireguard/Wireguard
autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP

94
docs/configexamples/openvpn-ldap.rst
View File

@ -1,94 +0,0 @@
:lastproofread: 2023-01-29
.. _examples-openvvpn-ldap:
#########################
OpenVPN with LDAP example
#########################
Configuration AD and a windows server
=====================================
We aim to configure LDAP authentication between the VYOS router and Windows Server 2019 (role: Active Directory) when our customers connect to our privet network using the OpenVPN client.
Using the general schema for example:
.. image:: /_static/images/mainschema.png
:width: 80%
:align: center
:alt: Network Topology Diagram
.. code-block:: none
VyOS - the main OpenVPN server
Winserver - windows server with role Active Directory
Win10-PC - OpenVPN customer with LDAP authentication
First, we need to configure the AD service and create two accounts. One account for the LDAP adapter built into the VYOS router and a second even account for our test client.
.. image:: /_static/images/ldapone.png
:width: 80%
:align: center
:alt: Network Topology Diagram
Picture 1 - Adding the AD role
.. image:: /_static/images/ldaptwo.png
:width: 80%
:align: center
:alt: Network Topology Diagram
Picture 2 - Adding the AD role
Configuration VyOS router
=========================
Make the configuration file for the LDAP plugin.
.. code-block:: none
vyos@vyos:~$ sudo cat /config/auth/ldap-auth.config
<LDAP>
URL ldap://10.217.80.58
BindDN userldap@corp.vyos.com
Password YourPass
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "DC=corp,DC=vyos,DC=com"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>
**This specific example is for a windows server 2019**:
* URL ldap://10.217.80.58 - The URL of your LDAP server
* BindDN userldap@corp.vyos.com - The BindDN of the users' directory
* BaseDN "DC=corp,DC=vyos,DC=com" - In the block <Authorization> notice your domain
Make the main config for VyOS like VPN and Authorization server:
.. code-block:: none
set interfaces ethernet eth0 address 'dhcp'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ldap-auth.config'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server push-route 192.168.0.0/16
set interfaces openvpn vtun10 server subnet '10.23.1.0/24'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/openvpn/central.crt'
set interfaces openvpn vtun10 tls crl-file '/config/auth/openvpn/crl.pem'
set interfaces openvpn vtun10 tls dh-file '/config/auth/openvpn/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/openvpn/central.key'
set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
set service ssh port '22'
Next, you need to install and configure the configuration file for the windows/Linux OpenVPN client. After connecting to the VPN servers, you will be prompted to go through LDAP authorization.
**To automatically generate the openVPN configuration file for windows clients, you can use this link:**
https://ovpnconfig.com.br/