Pages

Tuesday, 24 September 2019

openvpn_auth

Flexible OpenVPN authentication server and vpn client configuration tools.

WHAT IS INSIDE THIS PACKAGE?

  1. OpenVPN authentication server and client (openvpn_authd.pl)
  1. OpenVPN server add-on for dynamically configuring clients from LDAP directory

COMPONENTS

OpenVPN authentication server

This package contains authentication server and client for excellent “OpenVPN”.http://www.openvpn.net
VPN userland daemon. Currently you can authenticate your openvpn client using the following authentication backends:
  • LDAP
  • Kerberos5
  • any SQL database supported by perl DBI driver
  • IMAPv4 server
  • POP3 server
  • plain file containing passwords
  • SASL library
  • PAM library
  • Radius service
  • custom certificate validation algorithm.

SYSTEM REQUIREMENTS

  • perl (authentication server is written in perl)
  • c compiler (for compiling authentication client)
You can install missing perl modules using your operating
system package manager or by running the following command:

perl -MCPAN -e 'install '
Required perl modules:
  • Log::Log4perl – for highly configurable logging
  • Log::Dispatch – Log4perl drivers
  • Net::Server – for simple and reliable network server infrastructure
Optional modules:
  • Net::LDAP – for ldap backend
  • IO::Socket::SSL – for providing secure transport for LDAPIMAP and POP3 backends
  • DBI and corresponding DBI module – for DBI/SQL backend
  • Authen::Krb5::Simple – for Kerberos5 backend
  • Authen::SASL – for sasl bind support in LDAP backend
  • Authen::SASL::Cyrus – for SASL backend
  • Authen::PAM – for PAM backend
  • Authen::Radius – for Radius backend
Optional password validation perl modules:
These modules are used by File and DBI backends and possibly by LDAP backend
when using ‘pass_attr’ authentication method.
  • Crypt::PasswdMD5 – for validating md5 hashed crypt(3) passwords
  • Digest::MD5 – for validating md5 string hashes
  • Digest::SHA1 – for validation of sha1 string hashes
  • Crypt::SmbHash – for validation of ntlm hashes
  • Digest::Tiger – for validation of Tiger string hashes
  • Digest::Whirlpool – for validation of Whirlpool string hashes

INSTALLATION

  • Install, configure & test openvpn daemon (i guess you already did that)
  • Unpack openvpn_authd (i guess you already did that too)
  • Compile openvpn_authc

 cd "c" && make
  • Create default configuration file

 ./bin/openvpn_authd.pl --default-conf > ./etc/openvpn_authd.conf
  • List supported authentication backends

 ./bin/openvpn_authd.pl --list
  • Read authentication backend documentation

 ./bin/openvpn_authd.pl --doc 
  • Adjust configuration your file

 vi ./etc/openvpn_authd.conf
  • Start server in non daemon and debug mode
    ./openvpn_authd.pl —no-daemon —debug
  • Create file with username and password

 echo "joe" > /tmp/sample_auth.txt
 echo "joes_password" >> /tmp/sample_auth.txt
  • Create & adjust openvpn_authc configuration file

 ./bin/openvpn_authc --default-config > /etc/openvpn_authc.conf
 vi /etc/openvpn_authc.conf
  • Check if everything works…

 export common_name="someuser.example.org"
 export untrusted_ip="1.2.3.4"
 export untrusted_port="3456"
 export script_type="auth-user-pass-verify"

 ./bin/openvpn_authc -v /tmp/sample_auth.txt
  • Doesn’t work? Check your syslog, there’s alot of debug output…
  • Works? Hooray, configure your openvpn daemon to use openvpn_authc:

 # /etc/openvpn/openvpn-server.conf
 # use external additional authentication
 # using openvpn_authd
 auth-user-pass-verify /path/to/openvpn_authd/bin/openvpn_authc via-file

Chroot install

This is ad-hoc document section explains how to chroot openvpn and openvpn_authd.
However, you don’t need to do this, or you can only chroot openvpn and not
openvpn_authd, but the best way is to chroot both of them (openvpn_authd was designed to run in chroot from scratch)
  • Create openvpn chroot directory (see OPENVPN_CHROOT_STRUCTURE.TXT)
  • Create openvpn_authd chroot structure (see OPENVPN_AUTHD_CHROOT_STRUCTURE.TXT)
  • Configure your syslogd (or even better, syslog-ng) to put listening sockets in BOTH chroots
  • Restart syslogd :)
  • Compile openvpn_authc statically

 cd c && make static
  • Reconfigure your openvpn to chroot (see samples/openvpn-server-chroot.conf)
  • Reconfigure openvpn_authd to put listening socket to openvpn chroot
    (you don’t need to do this if openvpn_authd is listening at tcp address)
  • Edit /etc/openvpn_authc.conf and set directive hostname
  • Put statically compiled openvpn_authc binary into /bin
  • Put /bin/sh file into /bin and /bin/sh linked libraries into /lib(64)

 # ldd ../bin/sh
        libtermcap.so.2 => /lib64/libtermcap.so.2 (0x00002b636bf5c000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b636c05f000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b636c163000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b636be3c000)
  • Restart openvpn and openvpn_authd && test configuration

OpenVPN client configuration

This package implements script which can be used as openvpn server
—client-connect script or can be used for periodic generation of client configuration files.

HOWTO

  • Create default configuraton file.

 ./openvpnClientConnectLDAP --default-config
  • Change configuration to suit your needs
  • Run it on regular basis to create client configuration file OR set client-connect /path/to/openvpnClientConnectLDAP.pl to your openvpn server configuration file.

No comments:

Post a Comment