Page 1 of 1

OpenVPN authentication against FreeIPA, SSSD

Posted: Tue Mar 14, 2017 8:17 pm
by ODra
Hello there,

I'm pretty much struggling with Ovpn set up of authentication against FreeIPA user accounts for a while.
I have 2 server:
  • 1. FreeIPA main server (CentOS 7)
    2. OpenVPN server, with freeipa-client configured via

    Code: Select all

     # ipa-client-install 
    Both services work out of box, in this case I'm able to log in as freeipa user locally (eg. su - freeipauser). (Ubuntu 16.04)
Ovpn /etc/openvpn/server.conf looks as follows:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh3072.pem
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 217.31.204.130"
push "dhcp-option DNS 193.29.206.206"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA384
comp-lzo yes
max-clients 30
user openvpn_server
group nogroup
persist-key
persist-tun
status openvpn-status.log
log          /var/log/openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
My /etc/pam.d/openvpn looks:

Code: Select all

auth    required        pam_unix.so    shadow    nodelay
auth    requisite       pam_succeed_if.so uid >=1000 quiet
auth    required        pam_tally2.so deny=4 even_deny_root unlock_time=1200
account required        pam_unix.so
And beside all common parameters, I added

Code: Select all

auth-user-pass
to the client.ovpn so a TLS certificate, and credentials are needed to establish a connection.
The question is how to modify the pam module to authenticate against FreeIPA users not a local users (on Ubuntu). Could you give me any hint please?

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Thu Mar 16, 2017 9:10 am
by ODra
*bump*

Guys, seriously no one has any idea or a hint how to do it? :roll:

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Thu Mar 16, 2017 12:07 pm
by TinCanTech
You could try the openvpn users mailing list ..
But to be honest, I don't think openvpn are the people to ask.

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Sun Mar 19, 2017 9:51 pm
by ODra
Hey,
thanks for the hint. I'll give it a try. Guess that's openvpn-users@lists.sourceforge.net the email address.
I think it's more openvpn related than FreeIPA thing.

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Wed Dec 06, 2017 5:12 pm
by andrewm659
Did you ever get this resolved? I'm trying to do the same thing.

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Fri Mar 16, 2018 12:41 am
by mikolajm
Hello,

I think I was able to solve this. My configuration is as follows:
- the key thing in '/etc/openvpn/server.conf' is

Code: Select all

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
- all I put in '/etc/pam.d/openvpn' is:

Code: Select all

@include common-auth
@include common-account
@include common-session
- next I went to the FreeIPA server and added 'openvpn' service in HBAC Services
- and last I granted proper permissions to the 'openvpn' service in the HBAC Rules.
And that's pretty much all.

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Fri Mar 16, 2018 2:18 am
by TinCanTech
Are you sure that is secure ? .. it looks awful common to me.

Re: OpenVPN authentication against FreeIPA, SSSD

Posted: Fri Mar 16, 2018 10:05 am
by mikolajm
I'm pretty sure that is secure, but of course I might be wrong. Do you have any specific thing in your mind what is insecure in my configuration?