OpenVPN

OpenVPN Configuration

  • Before we start, please be sure to have a functional VPN

    Note: Please be sure to have a TrustelemConnect app correctly configured

  • Install the openvpn-auth-ldap package on the vpn machine by running the apt install openvpn-auth-ldap command

  • Copy the file that was created /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf this way /etc/openvpn/auth/ldap.conf

  • Setup a custom LDAP service account as well as a custom LDAP password on the trustelem app settings (optional)

  • Copy the field’s content below into the ldap.conf file you just copied and change the Bind DN line with the required information

      <LDAP>
          # URL of the server where TrustelemConnect is running
          URL ldap://address:port
          # Bind DN
          BindDN cn=trustelem,DC=wallix-jflacher,DC=trustelem,DC=com
          # Bind password
          Password xNc3x8T0hFtKKpQq
          # Network timeout (in seconds)
          Timeout 30
          # Enable Start TLS
          TLSEnable no
          # Follow LDAP Referrals (anonymously)
          FollowReferrals yes
          # TLS CA Certificate File
          TLSCACertFile /usr/local/etc/ssl/ca.pem
          # TLS CA Certificate Directory
          TLSCACertDir /etc/ssl/certs
          # Client Certificate and key
          # If TLS client authentication is required
          TLSCertFile /usr/local/etc/ssl/client-cert.pem
          TLSKeyFile /usr/local/etc/ssl/client-key.pem
          # Cipher Suite
          # The defaults are usually fine here
          # TLSCipherSuite ALL:!ADH:@STRENGTH
      </LDAP>
    
      <Authorization>
          # Base DN
          BaseDN DC=wallix-jflacher,DC=trustelem,DC=com
          # User Search Filter
          SearchFilter "(mail=%u)"
          # Require Group Membership
          RequireGroup false
          # Add non-group members to a PF table (disabled)
          #PFTable ips_vpn_users
          # Uncomment and set to true to support OpenVPN Challenge/Response
          #PasswordIsCR false
      </Authorization>
    
  • Add the line plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf to your server config file

  • Restart your OpenVPN server