{"id":679,"date":"2021-01-08T03:05:00","date_gmt":"2021-01-07T20:05:00","guid":{"rendered":"https:\/\/rotreein.com\/?p=679"},"modified":"2024-05-11T18:47:55","modified_gmt":"2024-05-11T11:47:55","slug":"integrate-openvpn-with-google-sso","status":"publish","type":"post","link":"https:\/\/rotreein.com\/?p=679","title":{"rendered":"Integrate OpenVPN with Google SSO"},"content":{"rendered":"\n<p>Integrating OpenVPN with Google Single Sign-On (SSO) streamlines user authentication and access management processes, enhancing security and user experience. By leveraging Google as the identity provider, users can log in to OpenVPN using their Google credentials, eliminating the need for separate usernames and passwords<\/p>\n\n\n\n<h1 class=\"wp-block-heading has-medium-font-size\" id=\"Prerequisites\">Prerequisites<\/h1>\n\n\n\n<ul>\n<li>LDAP Gsuite<\/li>\n\n\n\n<li><code>stunnel<\/code><\/li>\n\n\n\n<li><code>openvpn-auth-ldap<\/code><\/li>\n<\/ul>\n\n\n\n<p>Create LDAP Client<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"340\" src=\"https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152309.png\" alt=\"\" class=\"wp-image-680\" srcset=\"https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152309.png 768w, https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152309-300x133.png 300w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"422\" src=\"https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152357.png\" alt=\"\" class=\"wp-image-681\" srcset=\"https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152357.png 773w, https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152357-300x164.png 300w, https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152357-768x419.png 768w\" sizes=\"(max-width: 773px) 100vw, 773px\" \/><\/figure>\n\n\n\n<p>Download the certificate.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"383\" src=\"https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152429.png\" alt=\"\" class=\"wp-image-682\" srcset=\"https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152429.png 773w, https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152429-300x149.png 300w, https:\/\/rotreein.com\/wp-content\/uploads\/2024\/05\/image-20230107-152429-768x381.png 768w\" sizes=\"(max-width: 773px) 100vw, 773px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\" id=\"Install-package-dependencies\">Install package dependencies<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-small-font-size\" id=\"Install-OpenVPN-auth-LDAP\">Install OpenVPN auth LDAP<\/h3>\n\n\n\n<ul>\n<li><a href=\"https:\/\/github.com\/threerings\/openvpn-auth-ldap\">openvpn-auth-ldap<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.stunnel.org\/\">stunnel<\/a><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install openvpn-auth-ldap stunnel4 -y<\/code><\/pre>\n\n\n\n<p>On this scenario the OpenVPN server is already running, so we just enable integration with google sso<\/p>\n\n\n\n<pre data-mode=\"php\" data-theme=\"monokai\" data-fontsize=\"14\" data-lines=\"Infinity\" class=\"wp-block-simple-code-block-ace\">local 172.31.24.60\nport 1194\nproto udp\ndev tun\n\nca ca.crt\ncert server.crt\nkey server.key\ndh dh.pem\n\nauth SHA512\ntls-crypt tc.key\ntopology subnet\n\nserver 10.8.0.0 255.255.255.0\npush \"route 172.31.0.0 255.255.0.0\"\npush \"route 172.35.0.0 255.255.0.0\"\npush \"route 172.69.0.0 255.255.0.0\"\n\nifconfig-pool-persist ipp.txt\n\nlog \/var\/log\/openvpn\/openvpn.log\nstatus \/var\/log\/openvpn\/openvpn-status.log\n\nkeepalive 10 120\ncipher AES-256-CBC\nuser nobody\ngroup nogroup\n\npersist-key\npersist-tun\n\n\n##plugin auth-ldap\nverb 3 \ncrl-verify crl.pem\nusername-as-common-name\nplugin \/usr\/lib\/openvpn\/openvpn-auth-ldap.so \/etc\/openvpn\/auth-ldap.conf\nverify-client-cert optional\n\n####\nmax-clients 1022\nduplicate-cn\n<\/pre>\n\n\n\n<p>Move the LDAP credentials to <code>\/etc\/openvpn<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv ldap* \/etc\/openpn<\/code><\/pre>\n\n\n\n<p>Create config file in <code>\/etc\/openvpn\/auth-ldap.conf<\/code><\/p>\n\n\n\n<pre data-mode=\"php\" data-theme=\"monokai\" data-fontsize=\"14\" data-lines=\"Infinity\" class=\"wp-block-simple-code-block-ace\">&lt;LDAP>\n  URL ldaps:\/\/ldap.google.com:636 #\n  Timeout 15\n  TLSEnable false\n  TLSCACertDir \/etc\/ssl\/certs\n  TLSCertFile \/etc\/openvpn\/ldap-client.pem\n  TLSKeyFile \/etc\/openvpn\/ldap-client.key\n&lt;\/LDAP>\n&lt;Authorization>\n  BaseDN \"dc=rotreein,dc=my.id\"\n  SearchFilter \"(uid=%u)\" # (or choose your own LDAP filter for users)\n  RequireGroup false\n&lt;\/Authorization>\n<\/pre>\n\n\n\n<p>Create config file in <code>\/etc\/stunnel\/google-ldap.conf<\/code><\/p>\n\n\n\n<pre data-mode=\"php\" data-theme=\"monokai\" data-fontsize=\"14\" data-lines=\"Infinity\" class=\"wp-block-simple-code-block-ace\">[ldap]\nclient = yes\naccept = 127.0.0.1:1636\nconnect = ldap.google.com:636\ncert = \/etc\/openvpn\/ldap-client.pem\nkey = \/etc\/openvpn\/ldap-client.key<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Integrating OpenVPN with Google Single Sign-On (SSO) streamlines user authentication and access management processes, enhancing security and user experience. By leveraging Google as the identity provider, users can log in to OpenVPN using their Google credentials, eliminating the need for separate usernames and passwords Prerequisites Create LDAP Client Download the certificate. Install package dependencies Install&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/rotreein.com\/index.php?rest_route=\/wp\/v2\/posts\/679"}],"collection":[{"href":"https:\/\/rotreein.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rotreein.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rotreein.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rotreein.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=679"}],"version-history":[{"count":3,"href":"https:\/\/rotreein.com\/index.php?rest_route=\/wp\/v2\/posts\/679\/revisions"}],"predecessor-version":[{"id":742,"href":"https:\/\/rotreein.com\/index.php?rest_route=\/wp\/v2\/posts\/679\/revisions\/742"}],"wp:attachment":[{"href":"https:\/\/rotreein.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rotreein.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rotreein.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}