OpenVPN OTP Authentication

Virtual Private Networks OpenVPN
25

Hi Jon,
and thanks for the links may i oversee something but i do miss the sources.

Have build oathtool-kit (with Fedora Glib patch) which needed xmlsec1 as DEP --> https://people.ipfire.org/~ummeegge/oathtool/ and made a fast test like explained in here --> https://johannes.truschnigg.info/blog/2015-10-26 .

What was needed:

  • pam_listfile.so was needed. It is build in IPFire but it is commented in ROOTFILE so it is not presant in the main system.
  • Created a secret with oathtool with the following command
    oathtool -v --totp $(openssl rand -hex 15)
    in HEX and Base32 format. Both can be checked via commandline:
Hex secret: ec2eb5fed5a47ae460f492c6ed190d
Base32 secret: 5QXLL7WVUR5OIYHUSLDO2GIN

both should deliver the same PWD which can be checked for HEX via:
oathtool --totp ec2eb5fed5a47ae460f492c6ed190d
for Base32:
oathtool --totp -b 5QXLL7WVUR5OIYHUSLDO2GIN
both should display the same.

  • New directory /var/ipfire/ovpn/accounting/oath .
  • In there are two files, the first is ‘users_oath’ with the follwing content:
#PROTO		USER	-	SECRET				COUNTER	LASTOTP	TS
HOTP/T30	paterpan	-	024d3bd325ad769815ceb59ce4d8bf

and the second users_whitelist with the username(s):

paterpan
  • The PAM config was created under /etc/pam.d/openvpn-otp-oath with the following content:
# Check if the given username is in the list of allowed names
auth requisite pam_listfile.so file=/var/ipfire/ovpn/accounting/oath/users_whitelist item=user sense=allow onerr=fail
# Check for users' time-based One-Time Password from their OATH token device/app
auth requisite /usr/lib/security/pam_oath.so usersfile=/var/ipfire/ovpn/accounting/oath/users_oath window=10 digits=6

# Permit whitelisted usernames - if this is missing, getpwnam() will fail for non-system users
account sufficient pam_listfile.so file=/var/ipfire/ovpn/accounting/oath/users_whitelist item=user sense=allow onerr=fai
  • OpenVPN server.conf has been extended via “Additional config” with the following entry:
# Oathtool + PAM
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn-otp-oath"

and client.ovpn like before with:

#Username - Password Authentication
auth-user-pass

#Do not cache auth info
auth-nocache

Connection worked:

Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 peer info: IV_TCPNL=1
Mar 16 14:45:19 ipfire-server openvpn[28949]: PAM _pam_init_handlers: no default config other
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 TLS: Username/Password authentication succeeded for username 'paterpan' 
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 [oathtest] Peer Connection Initiated with [AF_INET]192.168.123.4:49345
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 OPTIONS IMPORT: reading client specific options from: /var/ipfire/ovpn/ccd/oathtest
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 MULTI_sva: pool returned IPv4=10.63.16.18, IPv6=(Not enabled)
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 MULTI: Learn: 10.63.16.18 -> oathtest/192.168.123.4:49345
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 MULTI: primary virtual IP for oathtest/192.168.123.4:49345: 10.63.16.18
Mar 16 14:45:20 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 PUSH: Received control message: 'PUSH_REQUEST'
Mar 16 14:45:20 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 SENT CONTROL [oathtest]: 'PUSH_REPLY,route 10.63.16.1,topology net30,ping 10,ping-restart 60,redirect-gateway,route 192.168.234.0 255.255.255.0,dhcp-option DNS 192.168.123.1,dhcp-option DNS 192.168.234.1,ifconfig 10.63.16.18 10.63.16.17,peer-id 0' (status=1)

The difference:

  • Another PAM modul was needed.
  • This config includes currently no system users under passwd.
  • Only OTP for authentication needed with this config, no user password.

OTP can be checked via

watch oathtool --totp -b 5QXLL7WVUR5OIYHUSLDO2GIN

whereby every 30sec´s the OTP is changing.

To generate the QR-Code you would need libqrencode and e.g. the following command should it display:

qrencode -t ANSIUTF8 5QXLL7WVUR5OIYHUSLDO2GIN

Some more testings here.

Best,

Erik

3 Likes