Integration/OpenVPN.iRedMail.with.OpenLDAP/CentOS

From iRedMail
(Difference between revisions)
Jump to: navigation, search
(Configure LDAP auth)
 

Latest revision as of 20:04, 6 June 2011

This tutorial is come from Howtoforge http://www.howtoforge.com/using-iredmail-and-openvpn-for-virtual-email-hosting-and-vpn-services-centos-5.4

Contents

[edit] Install OpenVPN

Use EPEL yum repository to install OpenVPN.

Terminal:
rpm -Uhv http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm # <-- For i386
rpm -Uhv http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm # <-- For x86_64 

Install OpenVPN and ldap support

Terminal:
yum install openvpn openvpn-auth-ldap
chkconfig openvpn on 

Install dnsmasq (Optional):Forward DNS traffic through the VPN you will need to install the dnsmasq package

Terminal:
yum install dnsmasq
/etc/init.d/dnsmasq start
chkconfig dnsmasq on 


[edit] easy-rsa

The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory. We also need copy the Openvpn config example file to /etc/openvpn

Terminal:
cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn

[edit] Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:

  • Open /etc/openvpn/easy-rsa/2.0/vars and set correct values:
File: /etc/openvpn/easy-rsa/2.0/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="iredmail"
export KEY_EMAIL="www@example.com"

[edit] Initialize the Public Key Infrastructure (PKI)

Issue the following three commands in sequence to internalize the certificate authority and the public key infrastructure:

Terminal:
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool --initca

[edit] Generate Certificates

With the certificate authority generated you can generate the private key for the server. This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. To accomplish this, issue the following command:

Terminal:
./pkitool --server server 

[edit] Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:

Terminal:
./build-dh 

[edit] Relocate Secure Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
Terminal:
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/ 

These files no need leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured.

[edit] Config OpenVPN support OpenLDAP auth

[edit] Find cn=vmail password

vmail password was random create duiring iredmail install.you can find the password in /etc/postfix/ldap_virtual_mailbox_domains.cf

  • Open /etc/postfix/ldap_virtual_mailbox_domains.cf and check values:
File: /etc/postfix/ldap_virtual_mailbox_domains.cf
bind_dn         = cn=vmail,dc=example,dc=com
bind_pw         = InYTi8qGjamTb6Me2ESwbb6rxQUs5y #cn=vmail password

[edit] Configure LDAP auth

  • Open /etc/openvpn/auth/ldap.conf and set correct values:
File: /etc/openvpn/auth/ldap.conf

<LDAP>
# LDAP server URL
URL             ldap://localhost
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN                cn=vmail,dc=example,dc=com
# Bind Password cn=vmail password
Password      InYTi8qGjamTb6Me2ESwbb6rxQUs5y
# Network timeout (in seconds)
Timeout         15
</LDAP>


<Authorization>
# Base DN
BaseDN          "o=domains,dc=example,dc=com"
# User Search Filter
SearchFilter    "(&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
# Require Group Membership
RequireGroup    false
</Authorization>

[edit] Configuring OpenVPN

We'll now need to configure our server file. There is an example file in /usr/share/doc/openvpn-2.1.1/examples/sample-config-files. Issue the following sequence of commands to retrieve the example configuration files and move them to the required directories:

Terminal:
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/server.conf /etc/openvpn/ 
  • Open /etc/openvpn/server.conf and set correct values:
File: /etc/openvpn/server.conf

[...]
push "redirect-gateway def1"
[...]
push "dhcp-option DNS 10.8.0.1"

[...]  #add two line at the botton
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required

[edit] Enable VPN service for mail user

Use phpLDAPadmin or other tools to add LDAP values for exist mail user.

  • Login in the phpLDAPadmin
  • Find the exit mail user www@example.com
  • Enable VPN service for the user www@example.com.

[edit] Enable IP forward and config iptables

  • Open /etc/sysctl.conf and set correct values:
File: /etc/sysctl.conf
net.ipv4.ip_forward = 1

Issue the following commands to configure iptables to properly forward traffic through the VPN:

Terminal:
echo 1 > /proc/sys/net/ipv4/ip_forward 
  • Open /etc/sysconfig/iptables and add the below. Let the iptables open 1194 ports.:
File: /etc/sysconfig/iptables
#openvpn
-A INPUT -p udp -m multiport --dport 1194 -j ACCEPT

Issue the following command to set this variable for the current session:

Terminal:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:


  • Open /etc/rc.local and let look like:
File: /etc/rc.local
#!/bin/sh
#
# [...]
#

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

touch /var/lock/subsys/local

[edit] Restart relate service

we need restart all relate service, let the cofig work.

Terminal:
/etc/init.d/ldap restart
/etc/init.d/openvpn restart
/etc/init.d/iptables restart 

[edit] Client setting

Terminal:
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys 
  • Open /etc/openvpn/easy-rsa/2.0/keys/client.ovpn and set correct values:
File: /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
# Add the vpn server
remote mail.example.com 1194

[...]
#Comment out the below two line  
#cert client.crt
#key client.key

[...]
#Add thes line at the botton
auth-user-pass

Copy the client.ovpn and ca.crt file to your client system. Also can use mutt sent the files to mailbox. you can login email account and download the fies.

Terminal:
yum -y install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" -a /etc/openvpn/easy-rsa/2.0/keys/config.zip www@example.com < /usr/share/doc/openvpn-2.1.1/README 

[edit] Installing OpenVPN GUI On Windows XP / Vista

Download the client software here:http://www.openvpn.se/development.html . The tested version is OpenVPN 2.1_beta7 & OpenVPN GUI 1.0.3 , works on Vista. After install, put the client.ovpn and ca.crt file to C:\Program Files\OpenVPN\config.

Now you can use the account www@example.com connect the vpn.

[edit] Troubleshooting

[edit] Eable ldap log

  • Open /etc/ldap/slapd.conf and set correct values:
File: /etc/ldap/slapd.conf
loglevel    256 # <-- change form 0 to 256  

[edit] Eable Openvpn log

Issue the following command to create log files and setting the right permission:

Terminal:
touch /var/log/openvpn.log
touch /var/log/openvpn-status.log
chown nobody.nobody /var/log/openvpn.log
chown nobody.nobody /var/log/openvpn-status.log 
  • Open /etc/openvpn/server.conf and set correct values:
File: /etc/openvpn/server.conf
[...]
user nobody
group nobody

[...]
status /var/log/openvpn-status.log
log    /var/log/openvpn.log

[edit] Monitor the log

Restart the OpenLDAP and OpenVPN service and monitor the log

# tail -0f /var/log/openldap.log
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 fd=14 ACCEPT from IP=127.0.0.1:35456 (IP=0.0.0.0:389)
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 op=0 RESULT tag=97 err=0 text=
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 op=1 SRCH base="o=domains,dc=example,dc=com" 
scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 fd=18 ACCEPT from IP=127.0.0.1:35457 (IP=0.0.0.0:389)
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=0 RESULT tag=97 err=0 text=
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=1 BIND anonymous mech=implicit ssf=0
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=1 BIND dn="mail=www@example.com,
ou=Users,domainName=example.com,o=domains,dc=example,dc=com" method=128
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=1 BIND dn="mail=www@example.com,
ou=Users,domainName=example.com,o=domains,dc=example,dc=com" mech=SIMPLE ssf=0
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=1 RESULT tag=97 err=0 text=
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 op=2 UNBIND
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 op=2 UNBIND
Apr  4 22:45:17 centos54 slapd[6622]: conn=1 fd=18 closed
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 fd=18 ACCEPT from IP=127.0.0.1:35458 (IP=0.0.0.0:389)
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Apr  4 22:45:17 centos54 slapd[6622]: conn=0 fd=14 closed
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 op=0 RESULT tag=97 err=0 text=
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 op=1 SRCH base="o=domains,dc=example,dc=com" 
scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 op=2 UNBIND
Apr  4 22:45:17 centos54 slapd[6622]: conn=2 fd=18 closed

# tail -0f /var/log/openvpn.log
Sun Apr  4 22:47:01 2010 MULTI: multi_create_instance called
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Re-using SSL/TLS context
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 LZO compression initialized
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Local Options hash (VER=V4): '530fdded'
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Expected Remote Options hash (VER=V4): '41690919'
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 TLS: Initial packet from 192.168.1.147:51240, sid=01b29dca a4554de8
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 PLUGIN_CALL: 
POST /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 TLS: Username/Password authentication succeeded for username 'www@example.com'
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 [] Peer Connection Initiated with 192.168.1.147:51240
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 PLUGIN_CALL: 
POST /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 MULTI: Learn: 10.8.0.14 -> 192.168.1.147:51240
Sun Apr  4 22:47:01 2010 192.168.1.147:51240 MULTI: primary virtual IP for 192.168.1.147:51240: 10.8.0.14
Sun Apr  4 22:47:02 2010 192.168.1.147:51240 PUSH: Received control message: 'PUSH_REQUEST'
Sun Apr  4 22:47:02 2010 192.168.1.147:51240 SENT CONTROL [UNDEF]: 
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,
topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13' (status=1)
Sun Apr  4 22:47:13 2010 192.168.1.147:51240 Authenticate/Decrypt 
packet error: bad packet ID (may be a replay): [ #1 ] -- see the man page entry for
 --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Personal tools