tk-sls.de/openvpn-ldap-testbed
2
0
Fork 0
Code Releases Activity

initial commit

Browse Source
This commit is contained in:
Tilman Kranz 2023-10-04 00:36:16 +02:00
commit 6aa675257e
12 changed files with 233 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
vpnca

8
.secrets/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
auth_ldap_base_dn
auth_ldap_bind_dn
auth_ldap_group_base_dn
auth_ldap_group_search_filter
auth_ldap_password
auth_ldap_url
login_password
login_user

12
Dockerfile.client Normal file
View File

@ -0,0 +1,12 @@
FROM alpine
RUN mkdir -p /dev/net && mknod /dev/net/tun c 10 200 && chmod 600 /dev/net/tun
RUN apk update && apk add --no-cache bash openvpn
RUN mkdir -p /etc/openvpn/client/client.example.test
ADD vpnca/pki/ca.crt /etc/openvpn/client/client.example.test
ADD vpnca/pki/issued/client.example.test.crt /etc/openvpn/client/client.example.test
ADD vpnca/pki/private/client.example.test.key /etc/openvpn/client/client.example.test
RUN chmod 600 /etc/openvpn/client/client.example.test/client.example.test.key
ADD openvpn/client.example.test.conf /etc/openvpn/client/client.example.test.conf
ADD scripts/client.example.test/usr/sbin/entrypoint.sh /usr/sbin/entrypoint.sh
RUN chmod 755 /usr/sbin/entrypoint.sh
CMD /usr/sbin/entrypoint.sh

13
Dockerfile.server Normal file
View File

@ -0,0 +1,13 @@
FROM alpine
RUN apk update && apk add --no-cache bash openvpn openvpn-auth-ldap
RUN mkdir -p /etc/openvpn/server/server.example.test/ccd
ADD vpnca/pki/ca.crt /etc/openvpn/server/server.example.test
ADD vpnca/pki/issued/server.example.test.crt /etc/openvpn/server/server.example.test
ADD vpnca/pki/private/server.example.test.key /etc/openvpn/server/server.example.test
ADD vpnca/pki/dh.pem /etc/openvpn/server/server.example.test
RUN chmod 600 /etc/openvpn/server/server.example.test/server.example.test.key
ADD openvpn/server.example.test.conf /etc/openvpn/server/server.example.test.conf
ADD openvpn/server.example.test/ccd /etc/openvpn/server/server.example.test/ccd
ADD scripts/server.example.test/usr/sbin/entrypoint.sh /usr/sbin/entrypoint.sh
RUN chmod 755 /usr/sbin/entrypoint.sh
CMD /usr/sbin/entrypoint.sh

36
README.md Normal file
View File

@ -0,0 +1,36 @@
# Dockerized Container Testbed for OpenVPN with CCD and LDAP Auth
## Build VPN Test Root CA
```shell
./vpnca.sh
```
## Set Secrets for LDAP Access
In directory `.secrets` create the following files containing LDAP login information:
- `.secrets/auth_ldap_base_dn`:
Example: `ou=users,dc=example,dc=test`
- `.secrets/auth_ldap_bind_dn`:
Example: `uid=ldap_readonly,dc=example,dc=test`
- `.secrets/auth_ldap_group_base_dn`:
Example: `ou=groups,dc=example,dc=test`
- `.secrets/auth_ldap_group_search_filter`:
Example: `(cn=vpnuser)`
- `.secrets/auth_ldap_password`:
Example: `topsecret123`
- `.secrets/auth_ldap_url`:
Example: `ldap://ldap01.example.test`
- `.secrets/login_password`:
Example: `P4ssw0rd`
- `.secrets/login_user`:
Example: `testuser1`
## Build and run the Example
```shell
docker compose build
docker compose up
```

54
docker-compose.yml Normal file
View File

@ -0,0 +1,54 @@
version: '3'
services:
server:
hostname: server
domainname: example.test
image: openvpn-test-server
build:
dockerfile: Dockerfile.server
restart: always
networks:
- openvpn-test
cap_add:
- NET_ADMIN
secrets:
- auth_ldap_url
- auth_ldap_bind_dn
- auth_ldap_password
- auth_ldap_base_dn
- auth_ldap_group_base_dn
- auth_ldap_group_search_filter
client:
hostname: client
domainname: example.test
image: openvpn-test-client
build:
dockerfile: Dockerfile.client
restart: always
networks:
- openvpn-test
cap_add:
- NET_ADMIN
secrets:
- login_user
- login_password
networks:
openvpn-test:
secrets:
auth_ldap_url:
file: .secrets/auth_ldap_url
auth_ldap_bind_dn:
file: .secrets/auth_ldap_bind_dn
auth_ldap_password:
file: .secrets/auth_ldap_password
auth_ldap_base_dn:
file: .secrets/auth_ldap_base_dn
auth_ldap_group_base_dn:
file: .secrets/auth_ldap_group_base_dn
auth_ldap_group_search_filter:
file: .secrets/auth_ldap_group_search_filter
login_user:
file: .secrets/login_user
login_password:
file: .secrets/login_password

13
openvpn/client.example.test.conf Normal file
View File

@ -0,0 +1,13 @@
client
verb 3
dev tun
proto tcp
port 1194
remote server
resolv-retry infinite
nobind
cipher AES-256-GCM
ca /etc/openvpn/client/client.example.test/ca.crt
cert /etc/openvpn/client/client.example.test/client.example.test.crt
key /etc/openvpn/client/client.example.test/client.example.test.key
auth-user-pass /etc/openvpn/client/client.example.test/login.conf

16
openvpn/server.example.test.conf Normal file
View File

@ -0,0 +1,16 @@
verb 3
server 192.168.11.0 255.255.255.0
dev tun
port 1194
proto tcp
ca /etc/openvpn/server/server.example.test/ca.crt
cert /etc/openvpn/server/server.example.test/server.example.test.crt
key /etc/openvpn/server/server.example.test/server.example.test.key
dh /etc/openvpn/server/server.example.test/dh.pem
plugin /usr/lib/openvpn/plugins/openvpn-auth-ldap.so /etc/openvpn/server/server.example.test/auth-ldap.conf
client-config-dir /etc/openvpn/server/server.example.test/ccd
cipher AES-256-GCM
max-clients 4
client-to-client
topology subnet
push "dhcp-option DOMAIN example.test"

1
openvpn/server.example.test/ccd/client.example.test Normal file
View File

@ -0,0 +1 @@
ifconfig-push 192.168.11.2 255.255.255.255

17
scripts/client.example.test/usr/sbin/entrypoint.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/sh
set -e
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
login_user=$(cat /run/secrets/login_user)
login_password=$(cat /run/secrets/login_password)
cat > /etc/openvpn/client/client.example.test/login.conf << EOF
$login_user
$login_password
EOF
chmod 600 /etc/openvpn/client/client.example.test/login.conf
/usr/sbin/openvpn --config /etc/openvpn/client/client.example.test.conf

40
scripts/server.example.test/usr/sbin/entrypoint.sh Normal file
View File

@ -0,0 +1,40 @@
#!/bin/sh
set -e
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
auth_ldap_url=$(cat /run/secrets/auth_ldap_url)
auth_ldap_bind_dn=$(cat /run/secrets/auth_ldap_bind_dn)
auth_ldap_password=$(cat /run/secrets/auth_ldap_password)
auth_ldap_base_dn=$(cat /run/secrets/auth_ldap_base_dn)
auth_ldap_group_base_dn=$(cat /run/secrets/auth_ldap_group_base_dn)
auth_ldap_group_search_filter=$(cat /run/secrets/auth_ldap_group_search_filter)
cat > /etc/openvpn/server/server.example.test/auth-ldap.conf << EOF
<LDAP>
URL $auth_ldap_url
BindDN $auth_ldap_bind_dn
Password $auth_ldap_password
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "$auth_ldap_base_dn"
SearchFilter "(uid=%u)"
RequireGroup false
PasswordIsCR false
<Group>
RFC2307bis false
UseCompareOperation true
BaseDN "$auth_ldap_group_base_dn"
SearchFilter "$auth_ldap_group_search_filter"
MemberAttribute memberUid
</Group>
</Authorization>
EOF
chmod 600 /etc/openvpn/server/server.example.test/auth-ldap.conf
/usr/sbin/openvpn --config /etc/openvpn/server/server.example.test.conf

22
vpnca.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -e
cd "$(dirname "$(readlink -f "$0")")"
test -f vpnca/pki/ca.crt && {
echo "ERROR: vpnca/pki/ca.crt already exists; aborting (to build a new CA, completely remove ./vpnca)." >&2 ;
exit 1 ;
}
make-cadir vpnca
{
cd vpnca ;
export EASYRSA_BATCH=true ;
./easyrsa init-pki ;
./easyrsa gen-dh ;
./easyrsa --req-cn="VPN Test Root CA" build-ca nopass ;
./easyrsa build-server-full server.example.test nopass ;
./easyrsa build-client-full client.example.test nopass ;
}