OpenVPN with ldap auth and google auth?

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
englot
OpenVpn Newbie
Posts: 3
Joined: Mon Dec 04, 2017 5:12 pm

OpenVPN with ldap auth and google auth?

Post by englot » Mon Dec 04, 2017 5:18 pm

Hi,

I can't seem to get the openvpn with ldap authenication to work with google authenicator? Is there a how to article for this somewhere...

I keep getting an error:
Mon Dec 4 16:58:33 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 4 16:58:33 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec 4 16:58:33 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec 4 16:58:33 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Dec 4 16:58:33 2017 TUN/TAP device tun0 opened
Mon Dec 4 16:58:33 2017 TUN/TAP TX queue length set to 100
Mon Dec 4 16:58:33 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Dec 4 16:58:33 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Dec 4 16:58:33 2017 /sbin/ip addr add dev tun0 10.250.250.1/24 broadcast 10.250.250.255
Mon Dec 4 16:58:33 2017 GID set to nogroup
Mon Dec 4 16:58:33 2017 UID set to nobody
Mon Dec 4 16:58:33 2017 Listening for incoming TCP connection on [undef]
Mon Dec 4 16:58:33 2017 TCPv4_SERVER link local (bound): [undef]
Mon Dec 4 16:58:33 2017 TCPv4_SERVER link remote: [undef]
Mon Dec 4 16:58:33 2017 MULTI: multi_init called, r=256 v=256
Mon Dec 4 16:58:33 2017 IFCONFIG POOL: base=10.250.250.2 size=252, ipv6=0
Mon Dec 4 16:58:33 2017 IFCONFIG POOL LIST
Mon Dec 4 16:58:33 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Mon Dec 4 16:58:33 2017 Initialization Sequence Completed
Mon Dec 4 17:02:37 2017 TCP connection established with [AF_INET]151.237.232.133:44855
Mon Dec 4 17:02:38 2017 151.237.232.133:44855 TLS: Initial packet from [AF_INET]151.237.232.133:44855, sid=33663ceb 075aa5bc
AUTH-PAM: BACKGROUND: user 'test' failed to authenticate: Module is unknown
Mon Dec 4 17:02:40 2017 151.237.232.133:44855 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec 4 17:02:40 2017 151.237.232.133:44855 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Mon Dec 4 17:02:40 2017 151.237.232.133:44855 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Dec 4 17:02:41 2017 151.237.232.133:44855 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Mon Dec 4 17:02:41 2017 151.237.232.133:44855 Peer Connection Initiated with [AF_INET]151.237.232.133:44855
Mon Dec 4 17:02:43 2017 151.237.232.133:44855 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 4 17:02:43 2017 151.237.232.133:44855 Delayed exit in 5 seconds
Mon Dec 4 17:02:43 2017 151.237.232.133:44855 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Dec 4 17:02:44 2017 151.237.232.133:44855 Connection reset, restarting [0]
Mon Dec 4 17:02:44 2017 151.237.232.133:44855 SIGUSR1[soft,connection-reset] received, client-instance restarting

I have one entry in the server.conf file pointing to:

# Google Authenticator PAM configuration
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn

and the openvpn file:

# BEGIN ANSIBLE MANAGED BLOCK
#openVPN config
auth requisite /lib/security/pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root forward_pass
auth required /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf use_first_pass

no matter what I try to tweak this is doesn't seem to want to authenicate properly...

Can someone please tell me what I am doing wrong here?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN with ldap auth and google auth?

Post by TinCanTech » Mon Dec 04, 2017 6:37 pm

englot wrote:
Mon Dec 04, 2017 5:18 pm
Is there a how to article for this
https://openvpn.net/index.php/open-sour ... .html#auth

englot
OpenVpn Newbie
Posts: 3
Joined: Mon Dec 04, 2017 5:12 pm

Re: OpenVPN with ldap auth and google auth?

Post by englot » Tue Dec 05, 2017 2:43 pm

Thanks for the pointer... But, is there a way to split the OTP and password passed by the client.? I am unsure how to set this up....

englot
OpenVpn Newbie
Posts: 3
Joined: Mon Dec 04, 2017 5:12 pm

Re: OpenVPN with ldap auth and google auth?

Post by englot » Tue Dec 05, 2017 3:18 pm

I tried specifying two plugins in the server conf. the otp passed just fine, but the ldap is craping out because the otp code is part of the password or seomthing...

Post Reply