ホーム エクスプローラ ヘルプ
登録 サインイン
AFS
/
infrastructure-notes
2
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ツリー: 056aff9755
ブランチ タグ
infrastructure-...
/
OpenVPN Notes.md

OpenVPN Notes.md 4.5 KB
履歴 Raw

OpenVPN Notes

To admin openvpn, SSH into the openvpn server and use the admin user that is located in Vault.

the admin username is openvpn

systemctl restart openvpnas

Helpful... https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/

There is a strict dependency that openvpn be started after firewalld.

How to Reset ldap.read

ldap.read@defpoint.com is the okta user that openvpn uses to auth to okta. the ldap.read account's password expires after 60 days. to see when the password will expire, go to Reports -> Okta Password Health. Don't open with EXCEL!

  1. Be on prod VPN.
  2. Log into OKTA in an incognito window using the ldap.read username and the current password from Vault (engineering/root). Brad's phone is currently setup with the Push notification for the account. The MFA is required for the account. To change the password without Brad, remove MFA with your account in OKTA and set it up on your own phone.
  3. Once the password has been updated, update vault in this location, engineering/root with a key of ldap.read@defpoint.com. You will have to create a new version of engineering/root to save the password.
  4. Store the new password and the creds for openvpn and drop off the VPN. Log into the openVPN web GUI (https://openvpn.xdr.accenturefederalcyber.com/admin/) as the openvpn user (password in Vault) and update the credentials for ldap.read. Authentication -> ldap -> update password -> Save Settings. Then update running server. Repeat this for the test environment ( https://openvpn.xdrtest.accenturefederalcyber.com/admin/ )
  5. Verify that you are able to login to the VPN.
  6. Set reminder in your calendar to reset the password in less than 60 days.

when okta push is slow, get the 6 digits from your okta app and put into viscosity your password as password,123456 clearly your password should have no commas in it

LDAP config

Primary server: mdr-multipass.ldap.okta.com Bind Anon? NO Use creds? YES

BIND DN: uid=ldap.read@defpoint.com, dc=mdr-multipass, dc=okta, dc=com

BASE DN for Users ou=users, dc=mdr-multipass, dc=okta, dc=com

Username Attribute uid

OpenVPN License

PROD -> See Salt state. TEST -> YOLO via web interface. This means i did not take the time to reconfigure the Salt states to handle a prod and test license.

CLI

OpenVPN can also be configured via CLI.

The confdba tool is used to view the configurations DB.

Show all configurations /usr/local/openvpn_as/scripts/confdba -s

Show all configurations in the User database /usr/local/openvpn_as/scripts/confdba -us

The sacli tool is used to interact with the OpenVPN API.

/usr/local/openvpn_as/scripts/sacli Version

View Configurations If configuration doesn't show up it is set to the default.

/usr/local/openvpn_as/scripts/sacli ConfigQuery /usr/local/openvpn_as/scripts/sacli UserPropGet

/usr/local/openvpn_as/scripts/sacli ConfigQuery --pfilt=vpn.server.tls_version_min

Timeouts

https://openvpn.net/vpn-server-resources/openvpn-tunnel-session-management-options/

Fedramp SC-10

#RIGHT: The Access Server can push the OpenVPN "inactive" directive to clients. The inactive directive can be used to compel clients to disconnect if their bandwidth usage is below a given threshold for a given length of time.

Control with the following user/group properties:

prop_isec: (int, number of seconds over which to sample bytes in/out) prop_ibytes: (int, minimum number of in/out bytes over prop_isec seconds to allow connection to continue) For example, to disconnect a user who fails to transmit/receive at least 75,000 bytes during a 30 minute period:

#default user applies to all users. /usr/local/openvpn_as/scripts/sacli --user __DEFAULT__ --key prop_isec --value 1800 UserPropPut /usr/local/openvpn_as/scripts/sacli --user __DEFAULT__ --key prop_ibytes --value 75000 UserPropPut

#verify the setting is in place /usr/local/openvpn_as/scripts/confdba -us -p __DEFAULT__

Configure TLS on OpenVPN

Make a certificate like you would any other, using openssl commands and our CA. Then to install:

../scripts/sacli --key "cs.openssl_ciphersuites" --value 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL:!3DES:!SHA' ConfigPut
../scripts/sacli --key "cs.ca_bundle" --value_file=bundle.pem ConfigPut
../scripts/sacli --key "cs.cert" --value_file=openvpn.pem ConfigPut
../scripts/sacli --key "cs.priv_key" --value_file=openvpn.key ConfigPut

See openvpn docs https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/#selecting-ssl-and-tls-levels-on-the-web-server