runto-lv / openvpn-server-ldap-otp Goto Github PK

This will create an OpenVPN server. You can either use LDAP for authentication (with optional 2FA provided by Google Auth) or create a client certificate.
The container will automatically generate the certificates on the first run (using a 2048 bit key) which means that the initial run could take several minutes whilst keys are generated. The client configuration will be output in the logs. A volume is created for data persistence.

Configuration is via environmental variables. Here's a list, along with the default value in brackets:

• OVPN_SERVER_CN: The CN that will be used to generate the certificate and the endpoint hostname the client will use to connect to the OpenVPN server. e.g. openvpn.example.org.

• LDAP_URI: The URI used to connect to the LDAP server. e.g. ldap://ldap.example.org.
• LDAP_BASE_DN: The base DN used for LDAP lookups. e.g. dc=example,dc=org.

• USE_CLIENT_CERTIFICATE (false): If this is set to true then the container will generate a client key and certificate and won't use LDAP (or OTP) for authentication. See Using a client certificate below for more information.

• LDAP_BIND_USER_DN (undefined): If your LDAP server doesn't allow anonymous binds, use this to specify a user DN to use for lookups.

• LDAP_BIND_USER_PASS (undefined): The password for the bind user.

• LDAP_FILTER (undefined): A filter to apply to LDAP lookups. This allows you to limit the lookup results and thereby who will be authenticated. e.g. memberOf=cn=staff,cn=groups,cn=accounts,dc=example,dc=org

• LDAP_LOGIN_ATTRIBUTE (uid): The LDAP attribute used for the authentication lookup, i.e. which attribute is matched to the username when you log into the OpenVPN server.

• LDAP_TLS (false): Set to 'true' to enable a TLS connection to the LDAP server.

• LDAP_TLS_CA_CERT (undefined): The contents of the CA certificate file for the LDAP server. You'll need this to enable TLS if using self-signed certificates.

• OVPN_TLS_CIPHERS (TLS-DHE-RSA-WITH-AES-256-CBC-SHA): Determines which ciphers will be set for tls-config in the openvpn config file.

• OVPN_PROTOCOL (udp): The protocol OpenVPN uses. Either udp or tcp.

• OVPN_NETWORK (10.50.50.0 255.255.255.0): The network that will be used the the VPN in network_address netmask format.

• OVPN_ROUTES (undefined): A comma-separated list of routes that OpenVPN will push to the client, in network_address netmask format. e.g. 172.16.10.0 255.255.255.0,172.17.20.0 255.255.255.0. If NAT isn't enabled then you'll need to ensure that destinations on the network have the return route set for the OpenVPN network. The default is to pass all traffic through the VPN tunnel (which will also enable NAT).

• OVPN_NAT (true): If set to true then the client traffic will be masqueraded by the OpenVPN server. This allows you to connect to targets on the other side of the tunnel without needing to add return routes to those targets (the targets will see the OpenVPN server's IP rather than the client's).

• OVPN_DNS_SERVERS (undefined): A comma-separated list of DNS nameservers to push to the client. Set this if the remote network has its own DNS or if you route all traffic through the VPN and the remote side blocks access to external name servers. Note that not all OpenVPN clients will automatically use these nameservers. e.g. 8.8.8.8,8.8.4.4

• OVPN_DNS_SEARCH_DOMAIN (undefined): If using the remote network's DNS servers, push a search domain. This will allow you to lookup by hostnames rather than fully-qualified domain names. i.e. setting this to example.org will allow ping remotehost instead of ping remotehost.example.org.

• OVPN_REGISTER_DNS (false): Include register-dns in the client config, which is a Windows client option that can force some clients to load the DNS configuration.

• OVPN_VERBOSITY (4): The verbosity of OpenVPN's logs.

• REGENERATE_CERTS (false): Force the recreation the certificates.

• KEY_LENGTH (2048): The length of the server key in bits. Higher is more secure, but will take longer to generate. e.g. 4096

• DEBUG (false): Add debugging information to the logs.

• LOG_TO_STDOUT (true): Sends OpenVPN logs to stdout so that logs can be examined via docker log. If FAIL2BAN_ENABLED is true then this is set to false because fail2ban needs to be able to parse the OpenVPN logs. If false, logs are written to /etc/openvpn/logs/openvpn.log to allow access to the logs from the host filesystem.

• ENABLE_OTP (false): Activate two factor authentication using Google Auth. See Using OTP below for more information.

• FAIL2BAN_ENABLED (false): Set to true to enable the fail2ban daemon (protection against brute force attacks). This will also set LOG_TO_STDOUT to false.

• FAIL2BAN_MAXRETRIES (3): The number of attempts that fail2ban allows before banning an ip address.

docker run \
           --name openvpn \
           --volume /path/on/host:/etc/openvpn \
           --detach=true \
           -p 1194:1194/udp \
           -e "OVPN_SERVER_CN=myserver.mycompany.com" \
           -e "LDAP_URI=ldap://ldap.mycompany.com" \
           -e "LDAP_BASE_DN=dc=mycompany,dc=com" \
           --cap-add=NET_ADMIN \
           wheelybird/openvpn-ldap-otp

• --cap-add=NET_ADMIN is necessary; the container needs to create the tunnel device and create iptable rules.

• Extract the client configuration (along with embedded certificates) from the running container: docker exec -ti openvpn show-client-config

If you set ENABLE_OTP=true then OpenVPN will be configured to use two-factor authentication: you'll need your LDAP password and a passcode in order to connect. The passcode is provided by the Google Authenticator app. You'll need to download that from your app store.
You need to set up each user with 2FA. To do this you need to log into the host that's running the OpenVPN container and run
docker exec -ti openvpn add-otp-user <username> where username matches the LDAP username.
Give the generated URL and emergency codes to the user. To log in the user must append the code generated by Google Authenticator to their password. So if their password is verysecurepassword and the Authenticator code is 934567 then they need to enter verysecurepassword934567 at the password prompt.
The server-side OTP configuration is stored under /etc/openvpn, so ensure that's a volume otherwise the configuration will be lost if the container is restarted.
Note: OTP will only work with LDAP and can't be enabled if you're using the client certificate.

Set USE_CLIENT_CERTIFICATE=true if you want to use a client certificate instead of LDAP authentication. This will create a single client key and certificate. The server will be configured to accept multiple clients using the same certificate.
This is useful for testing out your VPN server and isn't intended as an especially secure VPN setup. If you want to use this for purposes other than development then you should read up on the downsides of sharing a single certificate amongst multiple clients.

The Dockerfile and associated assets are available at: https://github.com/wheelybird/openvpn-server-ldap-otp

You can ban/unban an ip address using the fail2ban-client. Just run docker exec openvpn fail2ban-client set openvpn <banip|unbanip> <IPV4 Address> to modify the ban status for a particular IP. You can view the ban logs by running docker exec openvpn tail -50 /var/log/fail2ban.log.