Samba 4 has become the tool of choice to provide Linux-based identity management to diverse clients.
However, a growing number of organizations are offering work from home options and manage distributed operations, like construction companies with a computer at every construction site or a medical service provider with one person doctors offices.
If these companies want to enjoy the advantages of single sign-on and policies that Samba provides, a VPN solution, which starts before the login, needs to be added to the domain. This how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.
Prerequisite
Most Linux distributions will come with the needed software preinstalled. For this tutorial, we assume that you already have Samba 4 and a certificate authority installed on your server. If you are looking for a distribution with Samba 4 and a certificate authority integrated, you can quickly spin up a Univention Corporate Server, that also makes user management easy. On Debian or Ubuntu, you can use the easy-rsa tools to manually create the certificate authority
The article https://www.linux.com/learn/intro-to-linux/2017/3/build-real-vpn-openvpn provides an intro no how to set up OpenVPNs PKI.
Further, the OpenVPN Documentation, in Debian at /usr/share/doc/openvpn/examples/easy-rsa/2.0/, provides many usefull tools to setting up a certificate authority for OpenVPN.
The server or virtual machine needs a fixed IP or utilize a service, such as DynDNS, to be locatable from the Internet without additional steps to be undertaken by the end user.
Installing OpenVPN
OpenVPN is an open source virtual network daemon, whose client allows a computer to access a remote server securely. Most distributions have OpenVPN included in their repository. Thus it can be installed using the package management system. On Debian-based systems such as Debian, Ubuntu, or UCS:
$ sudo apt-get install openvpn
Configuring OpenVPN Server
Upon startup of OpenVPN the software scans the directory /etc/openvpn for files ending in “.conf” and starts a separate server process for each of them. Thus, the following configuration files, copied into “/etc/openvpn/clientconnect .conf”, should automatically be run upon restarting the OpenVPN.
Please note, that lines starting with “#” denote a comment and that you will need to change values depending on your environment.
## The following entries should point to your certificate information.
## Encryption parameters
dh /etc/openvpn/dh2048.pem
## Certificate Authority Certificate
ca /etc/univention/ssl/ucsCA/CAcert.pem
## Server Certificate
cert /etc/univention/ssl/master/cert.pem
## Private key for the Server Certificate
key /etc/univention/ssl/master/private.key
## Certificate Revocation List
crl-verify /etc/openvpn/crl.pem
## Encryption Cypher to use for the VPN
cipher AES-256-CBC
##Compression algorithm to use
comp-lzo
## Persistent endpoint addresses
## Always give the same IP to a device
ifconfig-pool-persist ipp.txt
## Push route for the server network
push "route 10.210.0.0 255.255.0.0"
push "redirect-gateway def1"
## Set the current server as the DNS server for domain server
## Change the IP to the internal IP of the server
push "dhcp-option DNS 10.210.140.219"
## Push the server's domain as DNS domain
push "dhcp-option DOMAIN outsidevpn.univention.com"
## Additional server configuration
keepalive 10 120
persist-key
persist-tun
## Configure the logfile and the verbosity
verb 1
mute 5
status /var/log/openvpn-status.log
## The port on which the VPN Server should listen on
port 1194
## The network to use for communication within the VPN
server 172.24.1.0 255.255.255.0
## Additional network settings
management /var/run/management-udp unix
dev tun
topology subnet
proto udp
In most cases the diffie hellman parameters file has to be created. The matching command is
For UCS
$ sudo openssl dhparam -out "/etc/openvpn/dh2048.pem" 2048
For Debian/Ubuntu:
$ sudo ./easyrsa gen-dh
On UCS, the revoked certificates have to be converted between formats
sudo -- sh -c "/usr/bin/wget -qO /etc/openvpn/ca.crl http://$(/usr/sbin/ucr get ldap/master)/ucsCA.crl && /usr/bin/openssl crl -inform der -outform pem -in /etc/openvpn/ca.crl -out /etc/openvpn/crl.pem"
As certificates might be retracted when exposed, it would be advisable to set up a cron job to periodically convert the list.
Firewall
You might also need to open the firewall. Please note, the article assumes, that the port in the configuration above remains unchanged. If not, please change it in the following commands as well.
On UCS that can be achieved using the configuration registry
$ sudo ucr set security/packetfilter/udp/1194/all=ACCEPT
$ sudo service univention-firewall restart
On Debian and Ubuntu you can manually add the port to your IP tables configuration
$ sudo iptables -A INPUT -p "udp" --dport 1194 -j ACCEPT
Creating the Client Configuration
The client configuration consists of two parts – one for the client certificates and one for the configuration file.
The client certificates are easy to set up:
On Debian/Ubuntu servers the following commands create the certificates for a single client.
$ sudo /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool clientname
On the UCS Master, the following command creates the certificates for all current and future clients. They are saved in “/etc/univention/ssl/”
$ sudo ucr set ssl/host/objectclass='univentionDomainController,univentionMemberServer,univentionClient,univentionMobileClient,univentionCorporateClient,univentionWindows'
$ sudo univention-directory-listener-ctrl resync gencertificate
The client configuration file itself is the same for every system. Adapt the following settings according to your need and save it as clientconfig.opnv
## client protocol and devices
client
dev tun
proto udp
## Server address and port
## Change to match your external address
remote 52.211.178.248 1194
## Hostname of the server
verify-x509-name master name-prefix
## Clint configuration
resolv-retry infinite
nobind
persist-key
persist-tun
## Certificate names and locations
ca CAcert.pem
cert cert.pem
key private.key
## Encryption configuration
cipher AES-256-CBC
comp-lzo
## Logging verbosity
verb 3
Copy this configuration file, the root CA, on UCS /etc/univention/ssl/ucsCA/CAcert.pem, and the client certificates to C:Program FilesOpenVPNconfigclientconfig
Autostart the VPN Client
To automatically start OpenVPN on the client, go to control panel, select small icons, go to administrative tools and then services.
Here choose the OpenVPN service, right-click on properties, and change the startup type to automatic. At the next reboot, the configuration from above for OpenVPN will automatically start.
Domain Join
Due to the fact that NetBIOS is not transferred without any additional manual changes, the domain join has to be completed using the full domain name.
After a reboot, you should be able to log in to the client as a domain user.
Security Consideration
While the setup provides the most convenience of connecting a computer to an offsite Samba-based domain controller, it also presents a risk.
A stolen PC will always have access to the domain, allowing a thief to test numerous user name and password combinations. Strong password policies can help to minimize the risk as can organizational policies regarding stolen computers. Extending the setup with smart card encrypted certificates, however, would present the most secure option.
Conclusion
The automation of the VPN connection in conjunction with Samba-based DCs provides a convenient, yet secure access to central authentication and policy services. This technique allows offsite users and computers to authenticate using centralized credentials and load domain wide settings. It thus contributes to enforcing compliance policies. At the same time, it enhances the user experience by reducing the number of credentials and steps needed to start productive work. In conjunction with UCS, the combination of OpenVPN and Samba provides on top an easy to manage Linux-based identity management solution.