Flexible OpenVPN authentication server and vpn client configuration tools.
WHAT IS INSIDE THIS PACKAGE?
- OpenVPN authentication server and client (openvpn_authd.pl)
- OpenVPN server add-on for dynamically configuring clients from LDAP directory
COMPONENTS
OpenVPN authentication server
This package contains authentication server and client for excellent “OpenVPN”.http://www.openvpn.net
VPN userland daemon. Currently you can authenticate your openvpn client using the following authentication backends:
VPN userland daemon. Currently you can authenticate your openvpn client using the following authentication backends:
- LDAP
- Kerberos5
- any SQL database supported by perl DBI driver
- IMAPv4 server
- POP3 server
- plain file containing passwords
- SASL library
- PAM library
- Radius service
- custom certificate validation algorithm.
SYSTEM REQUIREMENTS
- perl (authentication server is written in perl)
- c compiler (for compiling authentication client)
You can install missing perl modules using your operating
system package manager or by running the following command:
system package manager or by running the following command:
perl -MCPAN -e 'install '
Required perl modules:
- Log::Log4perl – for highly configurable logging
- Log::Dispatch – Log4perl drivers
- Net::Server – for simple and reliable network server infrastructure
Optional modules:
- Net::LDAP – for ldap backend
- IO::Socket::SSL – for providing secure transport for LDAP, IMAP and POP3 backends
- DBI and corresponding DBI module – for DBI/SQL backend
- Authen::Krb5::Simple – for Kerberos5 backend
- Authen::SASL – for sasl bind support in LDAP backend
- Authen::SASL::Cyrus – for SASL backend
- Authen::PAM – for PAM backend
- Authen::Radius – for Radius backend
Optional password validation perl modules:
These modules are used by File and DBI backends and possibly by LDAP backend
when using ‘pass_attr’ authentication method.
when using ‘pass_attr’ authentication method.
- Crypt::PasswdMD5 – for validating md5 hashed crypt(3) passwords
- Digest::MD5 – for validating md5 string hashes
- Digest::SHA1 – for validation of sha1 string hashes
- Crypt::SmbHash – for validation of ntlm hashes
- Digest::Tiger – for validation of Tiger string hashes
- Digest::Whirlpool – for validation of Whirlpool string hashes
INSTALLATION
- Install, configure & test openvpn daemon (i guess you already did that)
- Unpack openvpn_authd (i guess you already did that too)
- Compile openvpn_authc
cd "c" && make- Create default configuration file
./bin/openvpn_authd.pl --default-conf > ./etc/openvpn_authd.conf- List supported authentication backends
./bin/openvpn_authd.pl --list- Read authentication backend documentation
./bin/openvpn_authd.pl --doc - Adjust configuration your file
vi ./etc/openvpn_authd.conf- Start server in non daemon and debug mode
./openvpn_authd.pl —no-daemon —debug
- Create file with username and password
echo "joe" > /tmp/sample_auth.txt
echo "joes_password" >> /tmp/sample_auth.txt- Create & adjust openvpn_authc configuration file
./bin/openvpn_authc --default-config > /etc/openvpn_authc.conf
vi /etc/openvpn_authc.conf- Check if everything works…
export common_name="someuser.example.org"
export untrusted_ip="1.2.3.4"
export untrusted_port="3456"
export script_type="auth-user-pass-verify"
./bin/openvpn_authc -v /tmp/sample_auth.txt- Doesn’t work? Check your syslog, there’s alot of debug output…
- Works? Hooray, configure your openvpn daemon to use openvpn_authc:
# /etc/openvpn/openvpn-server.conf
# use external additional authentication
# using openvpn_authd
auth-user-pass-verify /path/to/openvpn_authd/bin/openvpn_authc via-fileChroot install
This is ad-hoc document section explains how to chroot openvpn and openvpn_authd.
However, you don’t need to do this, or you can only chroot openvpn and not
openvpn_authd, but the best way is to chroot both of them (openvpn_authd was designed to run in chroot from scratch)
openvpn_authd, but the best way is to chroot both of them (openvpn_authd was designed to run in chroot from scratch)
- Create openvpn chroot directory (see OPENVPN_CHROOT_STRUCTURE.TXT)
- Create openvpn_authd chroot structure (see OPENVPN_AUTHD_CHROOT_STRUCTURE.TXT)
- Configure your syslogd (or even better, syslog-ng) to put listening sockets in BOTH chroots
- Restart syslogd :)
- Compile openvpn_authc statically
cd c && make static- Reconfigure your openvpn to chroot (see samples/openvpn-server-chroot.conf)
- Reconfigure openvpn_authd to put listening socket to openvpn chroot
(you don’t need to do this if openvpn_authd is listening at tcp address)
- Edit /etc/openvpn_authc.conf and set directive hostname
- Put statically compiled openvpn_authc binary into /bin
- Put /bin/sh file into /bin and /bin/sh linked libraries into /lib(64)
# ldd ../bin/sh
libtermcap.so.2 => /lib64/libtermcap.so.2 (0x00002b636bf5c000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002b636c05f000)
libc.so.6 => /lib64/libc.so.6 (0x00002b636c163000)
/lib64/ld-linux-x86-64.so.2 (0x00002b636be3c000)- Restart openvpn and openvpn_authd && test configuration
OpenVPN client configuration
This package implements script which can be used as openvpn server
—client-connect script or can be used for periodic generation of client configuration files.
—client-connect script or can be used for periodic generation of client configuration files.
HOWTO
- Create default configuraton file.
./openvpnClientConnectLDAP --default-config- Change configuration to suit your needs
- Run it on regular basis to create client configuration file OR set client-connect /path/to/openvpnClientConnectLDAP.pl to your openvpn server configuration file.
No comments:
Post a Comment