Configuration Yubikey with OpenVPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 31, 2020 7:33 am
Configuration Yubikey with OpenVPN
Hello everyone,
I have an OpenVPN in 2.4.7 on Debian 10.
The authentication with certificates is working.
To add more security, I want configure my service with Yubikey.
I have follow this procedure https://developers.yubico.com/yubico-pa ... a_PAM.html without FreeRadius and it's not working.
I contact directly the Yubikey support and they have reproduce the problem on Ubuntu.
Finaly they told to me, the problem came from OpenVPN.
Any pepole have configure in success the 2FA with Yubikey?
I have an OpenVPN in 2.4.7 on Debian 10.
The authentication with certificates is working.
To add more security, I want configure my service with Yubikey.
I have follow this procedure https://developers.yubico.com/yubico-pa ... a_PAM.html without FreeRadius and it's not working.
I contact directly the Yubikey support and they have reproduce the problem on Ubuntu.
Finaly they told to me, the problem came from OpenVPN.
Any pepole have configure in success the 2FA with Yubikey?
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Configuration Yubikey with OpenVPN
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 31, 2020 7:33 am
Re: Configuration Yubikey with OpenVPN
Hello,
I want to configure an OpenVPN server OpenSource v 2.4.7 with Yubikeys.
So, I have install OpenVPN, configure the first client and test the connection with simply certificate authentication, it's work.
After that, I have follow the procedure https://developers.yubico.com/yubico-pa ... a_PAM.html to install the Yubikey .pam without freeradius. I have install and configure the pam file like:
/etc/pam.d/yubi-pam
/etc/yubikey_mapping
/etc/pam.d/openvpn-pam
I add lines in my openvpn configuration:
On my client configuration, I add the line:
And I start the connection. The client VPN ask me the Yubikey and for my certificate password. After few seconds, the authentication failed.
You can see the server logs:
We can see the line "AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown".
I think it's the same error which had the Yubikey support. They told me the problem come before the yubi-pam be called.
This is my server configuration:
The client logs don't have interessants informations.
I send my configuration to the Yubikey support and they valided it.
After that, the Yubikey support have reproduce the problem on Ubuntu and they deducted the problem come from the OpenVPN version.
Somebody have the same problem ? And Somebody have Yubikey working in VPN server ?
I want to configure an OpenVPN server OpenSource v 2.4.7 with Yubikeys.
So, I have install OpenVPN, configure the first client and test the connection with simply certificate authentication, it's work.
After that, I have follow the procedure https://developers.yubico.com/yubico-pa ... a_PAM.html to install the Yubikey .pam without freeradius. I have install and configure the pam file like:
/etc/pam.d/yubi-pam
Code: Select all
auth sufficient pam_yubico.so id=xxx key=xxx authfile/etc/yubikey_mappings
account required pam_yubico.so
debug debug_file = /var/log/pam_yubico.log
Code: Select all
user: ccc.....
Code: Select all
auth required yubi-pam.so authfile=/etc/yubikey_mappings id=xxxx debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
Code: Select all
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name
Code: Select all
auth-user-pass
You can see the server logs:
Code: Select all
Mon Aug 3 10:00:39 2020 us=352502 MULTI: multi_create_instance called
Mon Aug 3 10:00:39 2020 us=352724 @IP-CLIENT:49509 Re-using SSL/TLS context
Mon Aug 3 10:00:39 2020 us=353080 @IP-CLIENT:49509 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Aug 3 10:00:39 2020 us=353119 @IP-CLIENT:49509 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Aug 3 10:00:39 2020 us=353182 @IP-CLIENT:49509 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Mon Aug 3 10:00:39 2020 us=353190 @IP-CLIENT:49509 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Mon Aug 3 10:00:39 2020 us=353227 @IP-CLIENT:49509 TLS: Initial packet from [AF_INET]@IP-CLIENT:49509, sid=2e9b1913 b78ad8fc
Mon Aug 3 10:00:39 2020 us=472635 @IP-CLIENT:49509 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Aug 3 10:00:39 2020 us=472964 @IP-CLIENT:49509 VERIFY OK: depth=0, CN=user
Mon Aug 3 10:00:39 2020 us=531641 @IP-CLIENT:49509 peer info: IV_VER=2.4.8
Mon Aug 3 10:00:39 2020 us=531731 @IP-CLIENT:49509 peer info: IV_PLAT=win
Mon Aug 3 10:00:39 2020 us=531796 @IP-CLIENT:49509 peer info: IV_PROTO=2
Mon Aug 3 10:00:39 2020 us=531831 @IP-CLIENT:49509 peer info: IV_NCP=2
Mon Aug 3 10:00:39 2020 us=531864 @IP-CLIENT:49509 peer info: IV_LZ4=1
Mon Aug 3 10:00:39 2020 us=531898 @IP-CLIENT:49509 peer info: IV_LZ4v2=1
Mon Aug 3 10:00:39 2020 us=531930 @IP-CLIENT:49509 peer info: IV_LZO=1
Mon Aug 3 10:00:39 2020 us=531962 @IP-CLIENT:49509 peer info: IV_COMP_STUB=1
Mon Aug 3 10:00:39 2020 us=531996 @IP-CLIENT:49509 peer info: IV_COMP_STUBv2=1
Mon Aug 3 10:00:39 2020 us=532029 @IP-CLIENT:49509 peer info: IV_TCPNL=1
Mon Aug 3 10:00:39 2020 us=532062 @IP-CLIENT:49509 peer info: IV_GUI_VER=OpenVPN_GUI_11
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user
AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown
Mon Aug 3 10:00:39 2020 us=536118 @IP-CLIENT:49509 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Aug 3 10:00:39 2020 us=536149 @IP-CLIENT:49509 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Mon Aug 3 10:00:39 2020 us=536184 @IP-CLIENT:49509 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Aug 3 10:00:39 2020 us=590053 @IP-CLIENT:49509 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Aug 3 10:00:39 2020 us=590103 @IP-CLIENT:49509 [user] Peer Connection Initiated with [AF_INET]@IP-CLIENT:49509
Mon Aug 3 10:00:40 2020 us=679837 @IP-CLIENT:49509 PUSH: Received control message: 'PUSH_REQUEST'
Mon Aug 3 10:00:40 2020 us=679941 @IP-CLIENT:49509 Delayed exit in 5 seconds
Mon Aug 3 10:00:40 2020 us=680013 @IP-CLIENT:49509 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
Mon Aug 3 10:00:46 2020 us=102102 @IP-CLIENT:49509 SIGTERM[soft,delayed-exit] received, client-instance exiting
I think it's the same error which had the Yubikey support. They told me the problem come before the yubi-pam be called.
This is my server configuration:
Code: Select all
local
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/openvpn-server.crt
key /etc/openvpn/certs/openvpn-server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name
I send my configuration to the Yubikey support and they valided it.
After that, the Yubikey support have reproduce the problem on Ubuntu and they deducted the problem come from the OpenVPN version.
Somebody have the same problem ? And Somebody have Yubikey working in VPN server ?
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Configuration Yubikey with OpenVPN
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 31, 2020 7:33 am
Re: Configuration Yubikey with OpenVPN
Ok thank you !
It's resolv the problem but now I have this message:
It's resolv the problem but now I have this message:
Code: Select all
AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Permission denied
-
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 31, 2020 7:33 am
Re: Configuration Yubikey with OpenVPN
Hello,
I saw your answer in your url but and I have question.
My user need to be create via the adduser command ?
I saw your answer in your url but and I have question.
My user need to be create via the adduser command ?
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 31, 2020 7:33 am
Re: Configuration Yubikey with OpenVPN
Hello,
My problem is resolv. this is my configuration.
/etc/openvpn/server.conf
/etc/pam.d/yubi-pam
/etc/pam.d/openvpn
Thank you for your help
My problem is resolv. this is my configuration.
/etc/openvpn/server.conf
Code: Select all
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
client-to-client
Code: Select all
auth sufficient pam_yubico.so id=xxxx key=xxx authfile=/etc/yubikey_mappings
debug debug_file=/var/run/pam-debug.log
Code: Select all
auth sufficient pam_yubico.so authfile=/etc/yubikey_mappings id=xxxxx debug