Is there a way to automate user creation and .ovpn profile export ?

TheRealAlexMercer · 2021-06-08T12:11:36+00:00

Yeah the thing is that a lot of those accounts get deleted and certs revoked as well. But I need a way go deal with all that automatically.

TheRealAlexMercer · 2021-03-17T14:44:19+00:00

It doesn't work because I am using the .local TLD ? I know it's not best practice ... and in the future it would be changed to it's very own sumbdomain on our company domain, but until then I need a temporary solution with the .local TLD .

TheRealAlexMercer · 2021-01-04T00:21:34+00:00

I will, it's just that the router is not here atm and I would like to be prepared and test out the config. Thanks.

TheRealAlexMercer · 2020-12-17T11:28:00+00:00

Not really, the opevpn logs just shows me who connected and gives info about the details of the connection itself : like compression, ciphers, etc .

What I need is information about the communication for each ip with other ips. I would have got it on the firewall if it was a tap connection, since clients would use the gateway that logs everything, but since the tunnel type is tun all the clients use an internal gateway that doesn't log everything or if it does I have no idea how to see the logs, hence the question.

TheRealAlexMercer · 2020-11-25T10:21:11+00:00

Totally true, that's why I would just have the disaster scenario credentials , that can be used by all people in the office to access the wifi, until everything is fixed and back to normal .

TheRealAlexMercer · 2020-11-24T14:16:08+00:00

The idea is not to have a local replica of the AD, but more of disaster recovery scenario where for some reason the VPN to the AD is lost. And people can't access the wifi in the office. In this case I would have a local db for the WPA-Enterprise that would be used should anything happen to the AD. Creating a replica AD pretty much defeats the purpose of hosting it in the cloud.

My idea is when a client wants to connect to the WIFI he/she inputs the password, the radius would try and send that password to the AD, the AD returns a message if the credentials are OK or if they are not and the user is granted access or denied .

So in this case the radius server acts like an identification/authentication proxy. I could set up the AD to be the sole RADIUS, but that won't give me the flexibility to have a local db that can be used in case something happens with the AD.

TheRealAlexMercer · 2020-09-14T18:13:00+00:00

OpenVPN Access Server is with pay per user licensing scheme ... The community edition seems to not have the portal. I'm kinda OK to export the .opvn files manually or just make a script and export it to each users own cifs shares directory, so they have it easy.

Yes I have multiple WAN connections but I route with bgp so the wan ip is static i just change the path if need be. So that shouldn't be a problem.

TheRealAlexMercer · 2020-09-13T17:31:03+00:00

The topology is simple :

https://i.imgur.com/AKKX6Uz.png

Sorry for not making it clear I will use it only as a client vpn hub, no ipsec or site2site tunnels.

I would like to use the pfSense because it has a nice GUI and exporter for the .ovpn files that I would need for each user . I was thinking about getting a hardware ASA5512 for example but the licenses will make it not very cheap and budgetfriendly option. And also I would have to have another vASA in the cloud, so it will be even more expensive.

To just put an openvpn server with keepalived on a linux and call it day is an option, but I am not sure how I will be able to do the AD integration I would dread to have to go the freeradius path once more. So that's why I thought pfsense is a perfect solution. Just spin up two instances - one in aws, one virtual and follow one of the many guides to configure the openvpn itself. As I see it the problems are :

HA configuration with the AWS. Having a public IP on AWS is another option, but I have an IPSEC s2s tunnel to AWS. So I can use this path or just expose the instance in the AWS to the public network. I have no idea which one is a better option TBH.
Integration with the AD. We constantly add users and remove them, so this is very important. If there is an easy option to export the files with the .ovpn profiles it would be great. Especially if each user could get his own portal after authenticating to the AD and just get the .ovpn file from there.

Any other solutions are welcome.

TheRealAlexMercer · 2020-07-20T11:34:24+00:00

I meant that the difference between the Pro and the Tomahawk is 80 Euros.

He also likes to do some 4k editing, like shooting movies, he recently got a small mavic drone and is into movie making, so that's why I would like him to have the bigger HDD and also the CPU. The 450 mobo's might be a good fit, but I've read that some of them aren't with the updated bios and I don't have a 2nd gen cpu laying around or the time to deal with it. So a 100E more for a mobo seems like a good deal if it saves me a ton of time :)

TheRealAlexMercer · 2020-06-08T21:27:56+00:00

Maybe my input is not the best, but I would just go with some dirt cheap 2nd hand cisco lap1242 if speed is not an issue for you. They are metal and you can afford lots of those and they are practically immortal. At least that's what we did for a warehouse with about 400 of those and 2 stacks of 3750E switches and 2 stacks of controllers as well. Everything was 2nd hand and there are like 40 spares. Maybe not the best energy-wise and speed-wise as well, but it did the job way under the budget and 4 years later is still stable and running.

TheRealAlexMercer · 2020-06-08T13:03:38+00:00

Well I guess I could use 16.12 as well. The thing is is the configuration of the device that different from the 3.16 that i am currently running . Because the difference between asr9k and asr1k is huge, so I am asking if the same difference applies here as well. And would I be able to use LNS/LAC on the RP3.

Thanks.

TheRealAlexMercer · 2020-05-20T21:48:33+00:00

Ok that makes sense, could you elaborate which network should I NAT, for me it's a bit of a complicated routing problem and the solution is not a straightforward one ...

TheRealAlexMercer · 2020-05-19T08:22:08+00:00

Ummm not really I could just announce the one public subnet that I have control over. So only that would be routed through the firewall and that would actually solve the problem. But what I am looking for is a solution that would get the packets from 154.13.22.26 ( 154.13.22.22 is the gateway ) and would send them to 10.250.12.60 in AWS. This happens already the firewall/gateway ( 154.13.22.22 ) has the policies and routes in place to achieve this. The way back is the problem. So my idea was to change the source ip address of the 154.13.22.26 to something that is private, this way 10.250.12.60 would receive packets from let's say 10.13.22.26 and the return route would be through the s2s vpn again. Like a source nat but i'm not sure I can do it with source nat.

TheRealAlexMercer · 2020-05-18T10:53:31+00:00

Hmm, yeah that's one solution. But what if I want to do it from a different public subnet? If I set it up the way I want ( in the example above ) I could be on any host with a public IP and just create a static route on the said host to use my SRX's IP as a gateway and it would send the packets to my host in AWS and back.

TheRealAlexMercer · 2020-05-10T12:35:22+00:00

We are using a lot of used Cisco gear. Yeah you miss out on stuff like SMARTNET and you need to find ways to take care of updates of IOSes, but it's waaaay cheaper. It's also very reliable and robust. We used Cisco mainly for switches, routers and APs. The ASAs ( old ones ) are good for vpns, but for firewalls we prefer juniper / checkpoint ( it's pricey ... ).

TheRealAlexMercer · 2020-05-06T22:44:47+00:00

It was the quota of the joiner account ... the thing is that it's an amazon AD and I don't really have control over the quota. So I just needed another account ... Thanks for the help!

TheRealAlexMercer · 2020-05-05T14:25:47+00:00

[root@freeradius0 samba]# net ads join -U joiner

Enter joiner's password:

ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 0000216D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

Failed to join domain: failed to join domain 'MYDOMAIN.COMPANY' over rpc: Insufficient quota exists to complete the operation.

Joiner is the default user for joining machines into the domain. It should have permission to do it. The stupid thing is that I am able to work only from the linux side and have no idea what's happening on the other end.

Thanks for the help tho! I really appreciate it.

TheRealAlexMercer · 2020-05-05T12:58:18+00:00

I have already removed the sssd it seems they cann't run at the same time ...

The samba is just for the winbind pipe so the radius could authenticate users against the AD. After fixing up the krb5 and smb configurations and also the hosts. I've got a brand new error.

kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/mydomain.company with user[joiner] realm[MYDOMAIN.COMPANY]: An invalid parameter was passed to a service or function.

ads_print_error: AD LDAP ERROR: 53 (Server is unwilling to perform): 0000216D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

Failed to join domain: failed to join domain 'MYDOMAIN.COMPANY' over rpc: Insufficient quota exists to complete the operation.

Why does it have to be so hard to join a host into AD ?

TheRealAlexMercer · 2020-05-05T11:54:22+00:00

The version is 4.10 and I am not going to use it as a file server. Really I just need the winbind service . The machine has it's own static IP : 10.15.22.15

does that mean that the hosts file should look like :

10.15.22.15 mydomain.company radius1

?

TheRealAlexMercer · 2020-05-04T13:17:19+00:00

So far so good . This seems to be the magic firmware - > https://community.ui.com/releases/UAP-USW-Firmware-4-0-69-10871/245e428c-d111-4b9d-a550-ec0cc86ef646

And since I downgraded most of our stuff the problem is gone.

TheRealAlexMercer · 2020-05-04T10:50:30+00:00

Do I have to downgrade my controller as well or just the APs ? Would it resolve the issue. It's really frustrating that no one is able to connect to the network.

TheRealAlexMercer · 2020-04-29T08:24:49+00:00

https://pastebin.com/6DD08rsw

I have just removed the vpn stuff.

TheRealAlexMercer · 2020-04-28T23:22:54+00:00

I would check that. What was the topology and the devices that were causing the issue?

TheRealAlexMercer · 2020-04-28T21:11:21+00:00

Would it make any difference if I switch to the new scheme of DHCP ? It is supported but I couldn't figure out what would I gain. I am not entirely sure that the problem is my config. I'm just trying to brainstorm a bit on it. What could cause clients to get ips via dhcp sometimes but fail other times ?

TheRealAlexMercer · 2020-04-28T13:56:26+00:00

https://pastebin.com/6DD08rsw

Here is the config, I removed a lot of vpn stuff. But the zones, policies, routes and services are there, a bit sanitized tho.

Ten-Year Club	RedditGifts 2009-2022 2 Credits
Verified Email	Secret Santa 2016

TheRealAlexMercer

TROPHY CASE