{"id":74,"date":"2024-11-07T11:14:33","date_gmt":"2024-11-07T09:14:33","guid":{"rendered":"https:\/\/untanux.lt\/?p=74"},"modified":"2024-11-07T11:14:33","modified_gmt":"2024-11-07T09:14:33","slug":"openvpn-server-on-a-debian-server","status":"publish","type":"post","link":"https:\/\/untanux.lt\/?p=74","title":{"rendered":"OpenVPN server on a Debian server"},"content":{"rendered":"\n
    <\/ol>\n\n\n\n
    Step 1: Install OpenVPN Server on Debian<\/strong>

        Update the package list:

    sudo apt update

    Install OpenVPN and additional required packages:

    sudo apt install openvpn easy-rsa

    Set up the Public Key Infrastructure (PKI) by navigating to the EasyRSA directory and building the CA:

    make-cadir ~\/openvpn-ca
    cd ~\/openvpn-ca
    .\/easyrsa init-pki
    .\/easyrsa build-ca

    Generate the server certificate and key:

    .\/easyrsa gen-req server nopass
    .\/easyrsa sign-req server server

    Generate client certificates, Diffie-Hellman key exchange, and HMAC key:

        .\/easyrsa gen-req client1 nopass
        .\/easyrsa sign-req client client1
        .\/easyrsa gen-dh
        openvpn --genkey --secret ta.key

        Copy certificates and keys to the \/etc\/openvpn\/ directory.

    Step 2: Configure OpenVPN to Use Azure AD for Authentication<\/strong>

        Install the OpenVPN Authentication Plugin for PAM:

        sudo apt install openvpn-auth-pam

        Configure Azure AD as an authentication provider.

        Go to the Azure Portal:
            Navigate to Azure Active Directory > Enterprise Applications > New Application.
            Select Non-Gallery Application and name it OpenVPN.

        Go to Authentication and configure the redirect URIs:
            Add the URI: https:\/\/<your-vpn-server-ip>\/auth
            Ensure ID tokens are enabled.

        Go to Certificates & Secrets and create a Client Secret.

        Under API Permissions:
            Add the Microsoft Graph API permissions for User.Read.

    Step 3: Configure Azure AD SAML Authentication for OpenVPN<\/strong>

        In Azure AD:
            Go to your OpenVPN app > Single sign-on > SAML.
            Edit the Basic SAML Configuration with the following:
                Identifier (Entity ID): https:\/\/<your-vpn-server-ip>\/saml.
                Reply URL: https:\/\/<your-vpn-server-ip>\/saml.

        Download the Federation Metadata XML file to use with OpenVPN.

        Configure the User Attributes & Claims:
            Add a claim for user.userprincipalname as the NameID format.

    Step 4: Configure OpenVPN to Use SAML Authentication<\/strong>

        On the OpenVPN server:
            Place the Federation Metadata XML file in the \/etc\/openvpn\/ directory.

        Edit the OpenVPN server configuration file, usually located at \/etc\/openvpn\/server.conf:

            Add the following lines to enable SAML authentication:

            plugin \/usr\/lib\/openvpn\/openvpn-plugin-auth-pam.so openvpn
            auth-user-pass-verify \/etc\/openvpn\/check_saml.sh via-env

        Create a check_saml.sh script to verify the SAML token.

    Step 5: Configure 2FA with Azure AD<\/strong>

        In Azure AD, go to Security > Conditional Access:
            Create a new policy that requires Multi-Factor Authentication for the OpenVPN application.
            Set the Grant control to require Multi-Factor Authentication.

        Enable this policy to enforce 2FA for users accessing OpenVPN through Azure AD.

    Step 6: Restart OpenVPN and Test<\/strong>

        Restart the OpenVPN service:

        sudo systemctl restart openvpn@server

        Download and configure the OpenVPN client, importing the .ovpn profile configured for SAML authentication.

        Test by logging in with an Azure AD account; you should be prompted for 2FA if configured correctly in Conditional Access.

    Your OpenVPN server on Debian is now configured to authenticate users via Azure AD with 2FA enforced.<\/pre>\n","protected":false},"excerpt":{"rendered":"
    Step 1: Install OpenVPN Server on Debian Update the package list:sudo apt updateInstall OpenVPN and additional required packages:sudo apt install openvpn easy-rsaSet up the Public Key Infrastructure (PKI) by navigating to the EasyRSA directory and building the CA:make-cadir ~\/openvpn-cacd ~\/openvpn-ca.\/easyrsa init-pki.\/easyrsa build-caGenerate the server certificate and key:.\/easyrsa gen-req server nopass.\/easyrsa sign-req server serverGenerate client certificates, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-74","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/untanux.lt\/index.php?rest_route=\/wp\/v2\/posts\/74","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/untanux.lt\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/untanux.lt\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/untanux.lt\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/untanux.lt\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=74"}],"version-history":[{"count":1,"href":"https:\/\/untanux.lt\/index.php?rest_route=\/wp\/v2\/posts\/74\/revisions"}],"predecessor-version":[{"id":75,"href":"https:\/\/untanux.lt\/index.php?rest_route=\/wp\/v2\/posts\/74\/revisions\/75"}],"wp:attachment":[{"href":"https:\/\/untanux.lt\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=74"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/untanux.lt\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=74"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/untanux.lt\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=74"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}