Ipcop OpenVPN & LDAP

How can I setup VPN using Ipcop with OpenVPN and have LDAP authentication, is this possible?

I believe it is possible using Endian, but was curious if it was possible using Ipcop and OpenVPN.

Thanks.
rnitsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pierre FrançoisSenior consultantCommented:
Yes, it is possible: you have to install two addons on ipcop:

advproxy; see: http://www.advproxy.net/
openvpn (also called zerina): see http://www.zerina.de/

About IPCop addons, see webpage: http://www.ipcop.org/index-pn.php?module=pnWikka&func=history&tag=IPCopAddons

0
rnitsAuthor Commented:
But, can I use Ldap Authentication when using OpenVPN, so the user is using their username/password that is on Ldap.

Thanks.
0
Pierre FrançoisSenior consultantCommented:
What kind of identification do you want to do: identifying a user on the LAN to allow him access on the Internet?
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

rnitsAuthor Commented:
Well, OpenVPN needs a user/password to get into the network.  I want to authenticate this to the ldap server.  

Basically, authenticate users that log in using OpenVPN to the ldap server.
0
Pierre FrançoisSenior consultantCommented:
I understand in your case that the LDAP server is on the local LAN and that users wants to connect to a remote VPN. So you use your local OpenVPN as a client for connecting to remote VPNs, not as a server for incoming connections from outside. Am I right? I suppose the IPCop is locally running.
0
rnitsAuthor Commented:
So here is the diagram:

External Network (Red Network) --> IP Cop Firewall/OpenVPN Server --> Internal Network (Green Network) --> Ldap Server (Windows 2k3 Server)

So the OpenVPN Client would connect to OpenVPN Server to get access to the Internal Network.

0
Pierre FrançoisSenior consultantCommented:
Oh, I understand: you try to connect to the green network from outside. In that case, you don't need the ldap server of advproxy. OpenVPN is enough.

But... as long as the tunnel is not open, you don't have access to the the ldap server. OpenVPN has his own system of authentication with certificates. As far as I know, you would have to authenticate twice: once for opening the VPN tunnel, normally with certificates (my VPN client connects transparently), and second with ldap once you are on the green network through VPN.

I fear the authentication of ldap and vpn are not compatible.
0
rnitsAuthor Commented:
Hence, I do not want to authenticate twice.  That is my main problem. :)

I was hoping there was another way of setting up OpenVPN to authenticate only once.
0
Pierre FrançoisSenior consultantCommented:
OpenVPN implies a very secure  way of authentication, with encrypting and certificates. ldap is just checking a pair of username/password but offers no encrypted communication. ldap is not strong enough for supporting the level of ssh tunneling implied by OpenVPN.

I propose two solutions:

a) use clients that authenticate in a user transparent way, at least the VPN part;

b) connect through ldap without tunneling but simply by opening the corresponding port on IPCop (do NOT do that, it is very unsecure).
0
rnitsAuthor Commented:
So, here is what I found:

IPCop with OpenVPN can not authenticate with an LDAP server.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.