Attempting to force AD authentication for openvpn users
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Attempting to force AD authentication for openvpn users
Here is the script that I am using. I am receiving an error: failed login attempt. Any feedback is appreciated. The perl module that the script is using is installed. I found this script on a website and am a little skeptical of the username and password portion of the script. If the below information is correct should it work? FYI I replaced the actual username and password with placeholders.
path and name of script: /etc/openvpn/openvpn-ad-auth2.pl
#!/usr/bin/perl
use strict;
use Authen::Simple::ActiveDirectory;
my $adserver = '172.16.1.70';
my $principal = 'mydomain.local';
my ($u,$p) = @ENV{qw/username password/};
my $ad = Authen::Simple::ActiveDirectory->new(
host => $adserver,
principal => $principal,
);
exit ( $ad->authenticate($u, $p) ) ? 0 : 128;
path and name of script: /etc/openvpn/openvpn-ad-auth2.pl
#!/usr/bin/perl
use strict;
use Authen::Simple::ActiveDirectory;
my $adserver = '172.16.1.70';
my $principal = 'mydomain.local';
my ($u,$p) = @ENV{qw/username password/};
my $ad = Authen::Simple::ActiveDirectory->new(
host => $adserver,
principal => $principal,
);
exit ( $ad->authenticate($u, $p) ) ? 0 : 128;
Last edited by joshcole on Thu Oct 20, 2011 6:05 am, edited 1 time in total.
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
Here is my server.conf as well
dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DNS 172.16.1.70"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
log openvpn.log
log-append openvpn.log
verb 2
--duplicate-cn
client-cert-not-required
auth-user-pass-verify /etc/openvpn/openvpn-ad-auth2.pl via-env
dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DNS 172.16.1.70"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
log openvpn.log
log-append openvpn.log
verb 2
--duplicate-cn
client-cert-not-required
auth-user-pass-verify /etc/openvpn/openvpn-ad-auth2.pl via-env
- Mimiko
- Forum Team
- Posts: 1564
- Joined: Wed Sep 22, 2010 3:18 am
Re: Attempting to force AD authentication for openvpn users
I will suggest to ask the question to the script's developer. Maybe you are not configuring script correctly.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Attempting to force AD authentication for openvpn users
the script might work if you use
In that mode env vars like username and password are passed onto scripts, such as your Perl script.
Code: Select all
script-security 3
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
I switched gears and am trying to use the openvpn-ldap plugin. I created the config and added the plugin to my server.conf and received this error when I restarted openvpn (openvpn failed to start):
Auth-LDAP Configuration Error: membership key is unknown (auth-ldap.cfg:25).
Thanks for any help you can provide!
Auth-LDAP Configuration Error: membership key is unknown (auth-ldap.cfg:25).
Thanks for any help you can provide!
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
I had made a mistake in my config. Here is the new error:
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
This is what I am seeing in the logs now after trying to connect:
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Re-using SSL/TLS context
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 LZO compression initialized
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel MTU parms [ L:1542 D: 1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Local Options hash (VER=V4): '530f dded'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Expected Remote Options hash (VER= V4): '41690919'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 TLS: Username/Password authenticat ion succeeded for username 'john_smith'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel: TLSv1, cipher TLS v1/SSLv3 DHE-RSA-AES256-SHA
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 [] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:64077
LDAP user "john_smith" was not found.
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 PLUGIN_CALL: plugin function PLUGI N_CLIENT_CONNECT failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 WARNING: client-connect plugin cal l failed
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Re-using SSL/TLS context
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 LZO compression initialized
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel MTU parms [ L:1542 D: 1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Local Options hash (VER=V4): '530f dded'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Expected Remote Options hash (VER= V4): '41690919'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 TLS: Username/Password authenticat ion succeeded for username 'john_smith'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel: TLSv1, cipher TLS v1/SSLv3 DHE-RSA-AES256-SHA
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 [] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:64077
LDAP user "john_smith" was not found.
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 PLUGIN_CALL: plugin function PLUGI N_CLIENT_CONNECT failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 WARNING: client-connect plugin cal l failed
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
The openvpn-ldap plugin is installed
Here are the new configs:
openvpn server.conf:
dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DNS 172.16.1.70"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
log openvpn.log
log-append openvpn.log
verb 2
--duplicate-cn
script-security 3
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-ldap.so auth-ldap.cfg
openvpn-ldap auth-ldap.cfg:
<LDAP>
# LDAP server URL
URL ldap://172.16.1.70
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "CN=vpnauth,OU=LDAP,DC=mydomain,DC=local"
# Bind Password
# Password SecretPassword
Password xxxxxx
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
#TLSEnable yes
TLSEnable no
</LDAP>
<Authorization>
# For active directory, I used sAMAccountName to search by username
# I also configured the original search filter to contain the group membership, instead of using the
# RequireGroup directive below
# Base DN
BaseDN "DC=mydomain,DC=local"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u)(memberOf=cn=_VPN,OU=_Groups,DC=mydomain,DC=local))"
# Require Group Membership
RequireGroup false
</Authorization>
Here are the new configs:
openvpn server.conf:
dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt
# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DNS 172.16.1.70"
# Use compression on the VPN link
comp-lzo
# Make the link more resistant to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon
log openvpn.log
log-append openvpn.log
verb 2
--duplicate-cn
script-security 3
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-ldap.so auth-ldap.cfg
openvpn-ldap auth-ldap.cfg:
<LDAP>
# LDAP server URL
URL ldap://172.16.1.70
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "CN=vpnauth,OU=LDAP,DC=mydomain,DC=local"
# Bind Password
# Password SecretPassword
Password xxxxxx
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
#TLSEnable yes
TLSEnable no
</LDAP>
<Authorization>
# For active directory, I used sAMAccountName to search by username
# I also configured the original search filter to contain the group membership, instead of using the
# RequireGroup directive below
# Base DN
BaseDN "DC=mydomain,DC=local"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u)(memberOf=cn=_VPN,OU=_Groups,DC=mydomain,DC=local))"
# Require Group Membership
RequireGroup false
</Authorization>
- Mimiko
- Forum Team
- Posts: 1564
- Joined: Wed Sep 22, 2010 3:18 am
Re: Attempting to force AD authentication for openvpn users
Doesn't this seen odd? LDAP plugin worked and tryied to authenticate, but that user does not exists in the Active Directory.LDAP user "john_smith" was not found.
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
I placed that there as a placeholder to hide the actual user name. The user definitely exists. Could you suggest where I may be able to get more feedback on this issue?
At this point I am trying to use PAM and radius to authenticate against our Windows radius server for our vpn users. I have googled the heck out of this and can't seem to make it work. Please let me know!
Thanks!
At this point I am trying to use PAM and radius to authenticate against our Windows radius server for our vpn users. I have googled the heck out of this and can't seem to make it work. Please let me know!
Thanks!
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
I downloaded the virtual appliance and configured LDAP on it, got it to a point where it's working. Is there a way to see how it was configured and match the ldap authentication piece? Do they allow access to the configs? If so, does anyone know where I might find them?
- Mimiko
- Forum Team
- Posts: 1564
- Joined: Wed Sep 22, 2010 3:18 am
Re: Attempting to force AD authentication for openvpn users
I will suggest to get answers on LDAP forums, as how to configure LDAP access. Also, make a search on this forum for LDAP authentication configuration. For example:Could you suggest where I may be able to get more feedback on this issue?
http://forums.openvpn.net/topic8647.html
http://www.howtoforge.com/set-up-openvp ... .0-squeeze
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
I've finally been able to authenticate the user which is amazing! I am using a radius plugin to accomplish this. I am still having problems but maybe at this point it's something that you guys can help me address.
The client error log reported this:
Thu Oct 27 14:38:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:11: topology (2.0.9)
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: route options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Oct 27 14:38:42 2011 CreateFile failed on TAP device: \\.\Global\{DC090850-52C8-4496-8227-90D67D1E6966}.tap
Thu Oct 27 14:38:42 2011 All TAP-Win32 adapters on this system are currently in use.
I am running Windows 7 64 bit so I am not sure if that has something to do with it. I feel like I almost there. Any help you can provide is much appreciated!
The client error log reported this:
Thu Oct 27 14:38:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:11: topology (2.0.9)
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: route options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Oct 27 14:38:42 2011 CreateFile failed on TAP device: \\.\Global\{DC090850-52C8-4496-8227-90D67D1E6966}.tap
Thu Oct 27 14:38:42 2011 All TAP-Win32 adapters on this system are currently in use.
I am running Windows 7 64 bit so I am not sure if that has something to do with it. I feel like I almost there. Any help you can provide is much appreciated!
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
Ok so I was able to get connected but no traffic is being allowed to pass. Here is what I am seeing in the log. It does show me as being successfully connected, I pulled an ip address and what not but can't ping or access any devices on the remote end.
Thu Oct 27 15:08:18 2011 xxx.xxx.xxx.xxx:50161 Need IPv6 code in mroute_extract_addr_from_packet
Thu Oct 27 15:08:18 2011 xxx.xxx.xxx.xxx:50161 Need IPv6 code in mroute_extract_addr_from_packet
-
- OpenVpn Newbie
- Posts: 19
- Joined: Mon Oct 10, 2011 5:08 pm
Re: Attempting to force AD authentication for openvpn users
I can ping the ip address of the openvpn server on the 172.16.0 subnet but can't get past that.
- Mimiko
- Forum Team
- Posts: 1564
- Joined: Wed Sep 22, 2010 3:18 am
Re: Attempting to force AD authentication for openvpn users
Disable IPv6 on tun adapter.
Also check firewall rules on server. Forwarding is enabled?
Also check firewall rules on server. Forwarding is enabled?