Hello,
I want to configure an OpenVPN server OpenSource v 2.4.7 with Yubikeys.
So, I have install OpenVPN, configure the first client and test the connection with simply certificate authentication, it's work.
After that, I have follow the procedure
https://developers.yubico.com/yubico-pa ... a_PAM.html to install the Yubikey .pam without freeradius. I have install and configure the pam file like:
/etc/pam.d/yubi-pam
Code: Select all
auth sufficient pam_yubico.so id=xxx key=xxx authfile/etc/yubikey_mappings
account required pam_yubico.so
debug debug_file = /var/log/pam_yubico.log
Code: Select all
auth required yubi-pam.so authfile=/etc/yubikey_mappings id=xxxx debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
I add lines in my openvpn configuration:
Code: Select all
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name
On my client configuration, I add the line:
And I start the connection. The client VPN ask me the Yubikey and for my certificate password. After few seconds, the authentication failed.
You can see the server logs:
Code: Select all
Mon Aug 3 10:00:39 2020 us=352502 MULTI: multi_create_instance called
Mon Aug 3 10:00:39 2020 us=352724 @IP-CLIENT:49509 Re-using SSL/TLS context
Mon Aug 3 10:00:39 2020 us=353080 @IP-CLIENT:49509 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Aug 3 10:00:39 2020 us=353119 @IP-CLIENT:49509 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Aug 3 10:00:39 2020 us=353182 @IP-CLIENT:49509 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Mon Aug 3 10:00:39 2020 us=353190 @IP-CLIENT:49509 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Mon Aug 3 10:00:39 2020 us=353227 @IP-CLIENT:49509 TLS: Initial packet from [AF_INET]@IP-CLIENT:49509, sid=2e9b1913 b78ad8fc
Mon Aug 3 10:00:39 2020 us=472635 @IP-CLIENT:49509 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Aug 3 10:00:39 2020 us=472964 @IP-CLIENT:49509 VERIFY OK: depth=0, CN=user
Mon Aug 3 10:00:39 2020 us=531641 @IP-CLIENT:49509 peer info: IV_VER=2.4.8
Mon Aug 3 10:00:39 2020 us=531731 @IP-CLIENT:49509 peer info: IV_PLAT=win
Mon Aug 3 10:00:39 2020 us=531796 @IP-CLIENT:49509 peer info: IV_PROTO=2
Mon Aug 3 10:00:39 2020 us=531831 @IP-CLIENT:49509 peer info: IV_NCP=2
Mon Aug 3 10:00:39 2020 us=531864 @IP-CLIENT:49509 peer info: IV_LZ4=1
Mon Aug 3 10:00:39 2020 us=531898 @IP-CLIENT:49509 peer info: IV_LZ4v2=1
Mon Aug 3 10:00:39 2020 us=531930 @IP-CLIENT:49509 peer info: IV_LZO=1
Mon Aug 3 10:00:39 2020 us=531962 @IP-CLIENT:49509 peer info: IV_COMP_STUB=1
Mon Aug 3 10:00:39 2020 us=531996 @IP-CLIENT:49509 peer info: IV_COMP_STUBv2=1
Mon Aug 3 10:00:39 2020 us=532029 @IP-CLIENT:49509 peer info: IV_TCPNL=1
Mon Aug 3 10:00:39 2020 us=532062 @IP-CLIENT:49509 peer info: IV_GUI_VER=OpenVPN_GUI_11
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user
AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown
Mon Aug 3 10:00:39 2020 us=536118 @IP-CLIENT:49509 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Aug 3 10:00:39 2020 us=536149 @IP-CLIENT:49509 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Mon Aug 3 10:00:39 2020 us=536184 @IP-CLIENT:49509 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Aug 3 10:00:39 2020 us=590053 @IP-CLIENT:49509 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Aug 3 10:00:39 2020 us=590103 @IP-CLIENT:49509 [user] Peer Connection Initiated with [AF_INET]@IP-CLIENT:49509
Mon Aug 3 10:00:40 2020 us=679837 @IP-CLIENT:49509 PUSH: Received control message: 'PUSH_REQUEST'
Mon Aug 3 10:00:40 2020 us=679941 @IP-CLIENT:49509 Delayed exit in 5 seconds
Mon Aug 3 10:00:40 2020 us=680013 @IP-CLIENT:49509 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
Mon Aug 3 10:00:46 2020 us=102102 @IP-CLIENT:49509 SIGTERM[soft,delayed-exit] received, client-instance exiting
We can see the line "AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown".
I think it's the same error which had the Yubikey support. They told me the problem come before the yubi-pam be called.
This is my server configuration:
Code: Select all
local
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/openvpn-server.crt
key /etc/openvpn/certs/openvpn-server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name
The client logs don't have interessants informations.
I send my configuration to the Yubikey support and they valided it.
After that, the Yubikey support have reproduce the problem on Ubuntu and they deducted the problem come from the OpenVPN version.
Somebody have the same problem ? And Somebody have Yubikey working in VPN server ?