Integrating OpenVPN with Google Single Sign-On (SSO) streamlines user authentication and access management processes, enhancing security and user experience. By leveraging Google as the identity provider, users can log in to OpenVPN using their Google credentials, eliminating the need for separate usernames and passwords
Prerequisites
- LDAP Gsuite
stunnelopenvpn-auth-ldap
Create LDAP Client
Download the certificate.
Install package dependencies
Install OpenVPN auth LDAP
apt install openvpn-auth-ldap stunnel4 -yOn this scenario the OpenVPN server is already running, so we just enable integration with google sso
local 172.31.24.60port 1194proto udpdev tunca ca.crtcert server.crtkey server.keydh dh.pemauth SHA512tls-crypt tc.keytopology subnetserver 10.8.0.0 255.255.255.0push "route 172.31.0.0 255.255.0.0"push "route 172.35.0.0 255.255.0.0"push "route 172.69.0.0 255.255.0.0"ifconfig-pool-persist ipp.txtlog /var/log/openvpn/openvpn.logstatus /var/log/openvpn/openvpn-status.logkeepalive 10 120cipher AES-256-CBCuser nobodygroup nogrouppersist-keypersist-tun##plugin auth-ldapverb 3crl-verify crl.pemusername-as-common-nameplugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.confverify-client-cert optional####max-clients 1022duplicate-cn
Move the LDAP credentials to /etc/openvpn
mv ldap* /etc/openpnCreate config file in /etc/openvpn/auth-ldap.conf
<LDAP>URL ldaps://ldap.google.com:636 #Timeout 15TLSEnable falseTLSCACertDir /etc/ssl/certsTLSCertFile /etc/openvpn/ldap-client.pemTLSKeyFile /etc/openvpn/ldap-client.key</LDAP><Authorization>BaseDN "dc=rotreein,dc=my.id"SearchFilter "(uid=%u)" # (or choose your own LDAP filter for users)RequireGroup false</Authorization>
Create config file in /etc/stunnel/google-ldap.conf
[ldap]client = yesaccept = 127.0.0.1:1636connect = ldap.google.com:636cert = /etc/openvpn/ldap-client.pemkey = /etc/openvpn/ldap-client.key
