Login Illustration

Samba 4 has become the tool of choice for companies with diverse clients that seek a Linux-based central identity management. However, a growing number of organizations are offering work from home options and manage distributed operations like construction companies with a computer at every construction site or an insurance provider with several offices. The securing of all authentication processes when employees log in your network also from outside, is critical to protect your data.

But how to do that?

You need to add a VPN solution which starts before the login if you want to enjoy the advantages of single sign-on and policies that Samba provides. The following how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.

Prerequisite

Most Linux distributions will come with the needed software preinstalled.

For this tutorial, we assume that you already have Samba 4 and a certificate authority installed on your server. If you are looking for a distribution with Samba 4 and a certificate authority integrated, you can quickly spin up a Univention Corporate Server, that also makes user management easy. On Debian or Ubuntu you can use the easy-rsa tools to manually create the certificate authority.

The article Build a Real VPN with OpenVPN provides an introduction to how to set up OpenVPN’s Public Key Infrastructure (PKI).

In addition, the OpenVPN documentation in Debian at “/usr/share/doc/openvpn/examples/easy-rsa/2.0/” provides many useful tools for setting up a certification authority for OpenVPN.

The server or virtual machine needs a fixed IP or uses a service, For example, DynDNS, to be localizable from the Internet without the end user having to take additional steps.

Installing OpenVPN

OpenVPN is an open source virtual network daemon, whose client allows a computer to access a remote server securely. Most distributions have OpenVPN included in their repository. Thus it can be installed using the package management system. On Debian-based systems such as Debian, Ubuntu, or UCS:

$ sudo apt-get install openvpn

Configuring an OpenVPN Server

Upon startup of OpenVPN the software scans the directory /etc/openvpn for files ending in “.conf” and starts a separate server process for each of them. Thus, the following configuration files, copied into “/etc/openvpn/clientconnect .conf”, should automatically be run upon restarting the OpenVPN.

Please note, that lines starting with “#” denote a comment and that you will need to change values depending on your environment.

## The following entries should point to your certificate information.
## Encryption parameters
dh /etc/openvpn/dh2048.pem
## Certificate Authority Certificate
ca /etc/univention/ssl/ucsCA/CAcert.pem
## Server Certificate
cert /etc/univention/ssl/master/cert.pem
## Private key for the Server Certificate
key /etc/univention/ssl/master/private.key
## Certficate Revocation List
crl-verify/etc/openvpn/crl.pem

## Encryption Cypher to use for the VPN
cipher AES-256-CBC

## Compression algorithm to use
comp-lzo

## Persistent endpoint addresses
## Always give the same IP to a device
ifconfig-pool-persist ipp.txt

## Push route for the server network
push "route 10.210.0.0 255.255.0.0"
push "redirect-gateway def1"

## Set the current server as the DNS server for domain server
## Change the IP to the internal IP of the server
push "dhcp-option DNS 10.210.140.219"
## Push the server's domain as DNS domain
push "dhcp-option DOMAIN outsidevpn.univention.com/"

## Additional server configuration
keepalive 10 120
persist-key
persist-tun

## Configure the logfile and the verbosity
verb 1
mute 5
status /var/log/openvpn-status.log

## The port on which the VPN Server should listen on
port 1194

## The network to use for communication within the VPN server
172.24.1.0 255.255.255.0

## Additional network settings
management /var/run/management-udp unix
dev tun
topology subnet
proto udp

In most cases the diffie hellman parameters file has to be created. The matching command is

for UCS:

$ sudo openssl dhparam -out "/etc/openvpn/dh2048.pem" 2048

for Debian / Ubuntu:

$ sudo ./easyrsa gen-dh

On UCS, the revoked certificates have to be converted between formats

$ sudo -- sh -c "/usr/bin/wget -qO /etc/openvpn/ca.crl http://$(/usr/sbin/ucr get ldap/master)/ucsCA.crl && /usr/bin/Openssl crl -inform der -outform pem -in /etc/openvpn/ca.crl -out /etc/openvpn/crl.pem"

As certificates might be retracted when exposed, it would be advisable to set up a cron job to periodically convert the list.

Firewall

You might also need to open the firewall. Please note, the article assumes, that the port in the configuration above remains unchanged. If not, please change it in the following commands as well.

On UCS that can be achieved using the configuration registry

$ sudo ucr set security/packetfilter/udp/1194/all=ACCEPT
$ sudo service univention-firewall restart

On Debian and Ubuntu you can manually add the port to your IP tables configuration

$ sudo iptables -A INPUT -p "udp" --dport 1194 -j ACCEPT

Creating the Client Configuration

The client configuration consists of two parts – one for the client certificates and one for the configuration file.

The client certificates are easy to set up:

On Debian/Ubuntu servers the following commands create the certificates for a single client.

$ sudo /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool clientname

On the UCS Master, the following command creates the certificates for all current and future clients. They are saved in “/etc/univention/ssl/”

$ sudo ucr set ssl/host/objectclass= 'univentionDomainController, univentionMemberServer, univentionClient, univentionMobileClient, univentionCorporateClient, univentionWindows'
$ sudo univention-directory-listener-ctrl resync gencertificate

The client configuration file itself is the same for every system. Adapt the following settings according to your need and save it as clientconfig.opnv

## client protocol and devices
client
dev tun
proto udp

## Server address and port
## Change to match your external address
remote 52.211.178.248 1194

## Hostname of the Server
verify-x509- name master name-prefix

## Client configuration
resolv-retry infinite
nobind
persist-key
persist-tun

## Certificate names and locations
ca CAcert.pem
cert cert.pem
key private.key

## Encryption configuration
cipher AES-256-CBC
comp-lzo

## Logging verbosity
verb 3

Copy this configuration file, the root CA, on UCS /etc/univention/ssl/ucsCA/CAcert.pem, and the client certificates to C:\Program Files\OpenVPN\config\clientconfig

Autostart the VPN Client

To automatically start OpenVPN on the client, go to control panel, select small icons, go to administrative tools and then services.

Here choose the OpenVPN service, right-click on properties, and change the startup type to automatic. At the next reboot, the configuration from above for OpenVPN will automatically start.

Domain Join

Due to the fact that NetBIOS is not transferred without any additional manual changes, the domain join has to be completed using the full domain name.

After a reboot, you should be able to log in to the client as a domain user.

Security Consideration

While the setup provides the most convenience of connecting a computer to an offsite Samba-based domain controller, it also presents a risk.

A stolen PC will always have access to the domain, allowing a thief to test numerous user name and password combinations. Strong password policies can help to minimize the risk as can organizational policies regarding stolen computers. Extending the setup with smart card encrypted certificates, however, would present the most secure option.

Conclusion

The automation of the VPN connection in conjunction with Samba-based DCs provides a convenient, yet secure access to central authentication and policy services. This technique allows offsite users and computers to authenticate using centralized credentials and load domain wide settings. It thus contributes to enforcing compliance policies. At the same time, it enhances the user experience by reducing the number of credentials and steps needed to start productive work. In conjunction with UCS, the combination of OpenVPN and Samba provides on top an easy to manage Linux-based identity management solution.

Find further information on OpenVPN with UCS in the Univention App Catalog.

If you have further questions, contact us or leave Your Comment!

Test OpenVPN with UCS as a virtual image!

 

Use UCS Core Edition for Free!
Download now

Leave a Reply

Your email address will not be published. Required fields are marked *