OpenVPN authentication against FreeIPA, SSSD

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ODra
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 14, 2017 6:58 pm

OpenVPN authentication against FreeIPA, SSSD

Post by ODra » Tue Mar 14, 2017 8:17 pm

Hello there,

I'm pretty much struggling with Ovpn set up of authentication against FreeIPA user accounts for a while.
I have 2 server:
  • 1. FreeIPA main server (CentOS 7)
    2. OpenVPN server, with freeipa-client configured via

    Code: Select all

     # ipa-client-install 
    Both services work out of box, in this case I'm able to log in as freeipa user locally (eg. su - freeipauser). (Ubuntu 16.04)
Ovpn /etc/openvpn/server.conf looks as follows:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh3072.pem
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 217.31.204.130"
push "dhcp-option DNS 193.29.206.206"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA384
comp-lzo yes
max-clients 30
user openvpn_server
group nogroup
persist-key
persist-tun
status openvpn-status.log
log          /var/log/openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
My /etc/pam.d/openvpn looks:

Code: Select all

auth    required        pam_unix.so    shadow    nodelay
auth    requisite       pam_succeed_if.so uid >=1000 quiet
auth    required        pam_tally2.so deny=4 even_deny_root unlock_time=1200
account required        pam_unix.so
And beside all common parameters, I added

Code: Select all

auth-user-pass
to the client.ovpn so a TLS certificate, and credentials are needed to establish a connection.
The question is how to modify the pam module to authenticate against FreeIPA users not a local users (on Ubuntu). Could you give me any hint please?

ODra
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 14, 2017 6:58 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by ODra » Thu Mar 16, 2017 9:10 am

*bump*

Guys, seriously no one has any idea or a hint how to do it? :roll:

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by TinCanTech » Thu Mar 16, 2017 12:07 pm

You could try the openvpn users mailing list ..
But to be honest, I don't think openvpn are the people to ask.

ODra
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 14, 2017 6:58 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by ODra » Sun Mar 19, 2017 9:51 pm

Hey,
thanks for the hint. I'll give it a try. Guess that's openvpn-users@lists.sourceforge.net the email address.
I think it's more openvpn related than FreeIPA thing.

andrewm659
OpenVpn Newbie
Posts: 4
Joined: Tue Dec 05, 2017 8:43 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by andrewm659 » Wed Dec 06, 2017 5:12 pm

Did you ever get this resolved? I'm trying to do the same thing.

mikolajm
OpenVpn Newbie
Posts: 2
Joined: Fri Mar 16, 2018 12:30 am

Re: OpenVPN authentication against FreeIPA, SSSD

Post by mikolajm » Fri Mar 16, 2018 12:41 am

Hello,

I think I was able to solve this. My configuration is as follows:
- the key thing in '/etc/openvpn/server.conf' is

Code: Select all

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
- all I put in '/etc/pam.d/openvpn' is:

Code: Select all

@include common-auth
@include common-account
@include common-session
- next I went to the FreeIPA server and added 'openvpn' service in HBAC Services
- and last I granted proper permissions to the 'openvpn' service in the HBAC Rules.
And that's pretty much all.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by TinCanTech » Fri Mar 16, 2018 2:18 am

Are you sure that is secure ? .. it looks awful common to me.

mikolajm
OpenVpn Newbie
Posts: 2
Joined: Fri Mar 16, 2018 12:30 am

Re: OpenVPN authentication against FreeIPA, SSSD

Post by mikolajm » Fri Mar 16, 2018 10:05 am

I'm pretty sure that is secure, but of course I might be wrong. Do you have any specific thing in your mind what is insecure in my configuration?

Post Reply