Skip to content

OpenVPN

wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh

/etc/openvpn/server.conf
port 1195
proto udp
dev tun
user nobody
group nogroup
duplicate-cn
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.150.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "dhcp-option DNS 10.1.1.233"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_97N0wZJncmXoH0lP.crt
key server_97N0wZJncmXoH0lP.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log /var/log/openvpn/openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
verify-client-cert none

LDAP

client.opvn
auth-user-pass
client
proto udp
explicit-exit-notify
remote 151.xxx.197.xxx 1195
remote 80.28.xxx.xxx 1195
remote-random
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_97NxxxxoH0lP name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB1zCCAX2gAwIBAgIUSVIvCMnTz15APN7nWg03ELGWfWkwCgYIKoZIzj0EAwIw
HjEcMBoGA1UEAwwTY25fNUxpOUVwc3JPWHBKWnlMWjAeFw0yMjExMDMyMjAwNTda
Fw0zMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxhwSlp5TFow
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATJ6t6BaR4a0dchYrXoCmt2shg4MeQX
YSx5CwW0pNjm+0BCLsDZcKEipCAwHjEcMBoGA1UEAwwTY25fNUxpOUVwc3JPWHBK
WnlMWxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLBgNVHQ8E
BAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIhAM3HJe90tFmJqJn4DX39Z04jXrpww7cY
Dws/CLx5v+o0AiAM2l1+jkFL0Mb0hbro4XefbKXpcxr+8u5cUSBY8sIUfQ==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB1jCCAXygAwIBAgIQP2yp2aFJsvA8S3czeoiJqzAKBggqhkjOPQQDAjAeMRww
GgYDVQQDDBNjbl81TGk5RXBzck9YcEpaeUxaMB4XDTIyMTEwMzIyMDEwN1oXDTI1
MDIwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9AgEGCCqGSM49
AwEHA0IABNtO3I4EQKXs12abyyR22jexBdXpTug3xj58/KmidPrHOG5Cf71SVRVc
FgQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEseQsFtKTY
5vtAQi7A2XChIqQgMB4xHDAaBgNVBAMME2NuXzVMaTlFcHNyT1hwSlp5TFqCFElS
LwjJ089eQDze51oNNxCxln1pMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQE
AwIHgDAKBggqhkjOPQQDAgNIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BjPxxxxxxxxxxxxxxxxxxxxxxxapP1D+62CNUjvXyAJcJgKIkM4yZihmUsbs1w/j
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIGHAxxxxxxxxxxxxxxxxxxxxxxSM49AwEHBG0wawIBAQQg4mz8oMvegLgRRHvI
JpgtmKOtesdVfuQqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxmm8skdto3sQXV6U7o
N8Y+fPypxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxRnYj4HbzMqTe
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
4fd781674a88e2a8f0c548df78b466f4
f5dc2f109f99e0211ac49e4f46d0df7c
f19b432628b90ee83e6e0917c92a69ba
59629613e04263acfb0824d07fd19074
6a5acd9036b118773591447e1ac8f8e8
aeb17ac4787e1125e3e20af7087e85fd
6edc645472044e9d26d667fbcf68922b
80dbe84098e33d63071e81234630c501
-----END OpenVPN Static key V1-----
</tls-crypt>
/etc/openvpn/auth/ldap.conf
<LDAP>
# LDAP server URL
URL ldap://DC01.domain.local
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "cn=OpenVPN Service,OU=UO_SERVICES,dc=domain,dc=local"

# Bind Password
Password "xxXXxxXXxx"

# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable no

# Follow LDAP Referrals (anonymously)
FollowReferrals no

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
BaseDN "OU=UO_USERS,DC=domain,DC=local"

# User Search Filter
SearchFilter "(&(sAMAccountName=%u))"

# Require Group Membership
RequireGroup true

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "OU=EXCEPTIONS,OU=UO_GROUPS,DC=domain,DC=local"
SearchFilter "(cn=OPEN_VPN)"
MemberAttribute "member"
</Group>
</Authorization>