OpenVPN Notes.md 3.4 KB
To admin openvpn, SSH into the openvpn server and use the admin user that is located in Vault.
the admin username is openvpn
Reset ldap.read
ldap.read@defpoint.com is the okta user that openvpn uses to auth to okta. the ldap.read account's password expires after 60 days. to see when the password will expire, go to Reports -> Okta Password Health. Don't open with EXCEL!
- Log into OKTA in an incognito window using the ldap.read username and the current password from Vault (engineering/root). Brad's phone is currently setup with the Push notification for the account. The MFA is required for the account. To change the password without Brad, remove MFA with your account in OKTA and set it up on your own phone.
- Once the password has been updated, update vault in this location, engineering/root with a key of ldap.read@defpoint.com. You will have to create a new version of engineering/root to save the password.
- Store the new password and the creds for openvpn and drop off the VPN. Log into the openVPN web GUI (https://openvpn.mdr.defpoint.com/admin/) as the openvpn user (password in Vault) and update the credentials for ldap.read. Authentication -> ldap -> update password -> Save Settings. Then update running server. Repeat this for the test environment (https://openvpn.mdr-test.defpoint.com/admin/)
- Verify that you are able to login to the VPN.
- Set reminder in your calendar to reset the password in less than 60 days. REMOVE LDAP FROM SENSU!!!
- Update the Sensu ldap.read password in salt/pillar/sensu_master.sls. It will need to be encypted prior to being used.
- put the password in a deleteme.txt file and run this command (see google doc for additional info)
- cat deleteme.txt | gpg -easr salt | gpg -d
7.5 paste in file and use tab to indent correctly. No indent = salt errors. You can use
yamllintto test - commit to git
- push to sensu & restart
9.1
salt sensu* state.sls sensu_master9.2salt sensu* cmd.run 'systemctl restart sensu-backend'
when okta push is slow, get the 6 digits from your okta app and put into viscosity your password as password,123456 clearly your password should have no commas in it
LDAP config
Primary server: mdr-multipass.ldap.okta.com Bind Anon? NO Use creds? YES
BIND DN: uid=ldap.read@defpoint.com, dc=mdr-multipass, dc=okta, dc=com
BASE DN for Users ou=users, dc=mdr-multipass, dc=okta, dc=com
Usernaem Attribute uid
OpenVPN License
TEST -> YOLO via web interface. This means i did not take the time to reconfigure the Salt states to handle a prod and test license.
Timeout
Fedramp SC-10
#RIGHT: The Access Server can push the OpenVPN "inactive" directive to clients. The inactive directive can be used to compel clients to disconnect if their bandwidth usage is below a given threshold for a given length of time.
Control with the following user/group properties:
prop_isec: (int, number of seconds over which to sample bytes in/out) prop_ibytes: (int, minimum number of in/out bytes over prop_isec seconds to allow connection to continue) For example, to disconnect a user who fails to transmit/receive at least 75,000 bytes during a 15 minute period:
#default user applies to all users. ./sacli --user DEFAULT --key prop_isec --value 900 UserPropPut ./sacli --user DEFAULT --key prop_ibytes --value 75000 UserPropPut
#verify the setting is in place ./confdba -us -p DEFAULT