OpenVPN OTP Authentication

Or FIDO2 ?

Hi all,

canĀ“t find the sources to build it. Am right that you will always need a third party ?

Are there some links for building it from source and an OpenVPN implementation ?

Best,

Erik

EDIT: Interesting ones from my side:
https://www.saltwaterc.eu/setting-up-totp-for-openvpn-with-oath-toolkit.html

I think Authy authenticator and google Authenticator work the same way. Here is info about the google Authenticator:

disclaimer: keep in mind I know nothing about these type of authenticators.

I picked the Authy system because I am not a big fan of googleā€¦

This may help:

Hi Jon,
and thanks for the links may i oversee something but i do miss the sources.

Have build oathtool-kit (with Fedora Glib patch) which needed xmlsec1 as DEP --> https://people.ipfire.org/~ummeegge/oathtool/ and made a fast test like explained in here --> https://johannes.truschnigg.info/blog/2015-10-26 .

What was needed:

  • pam_listfile.so was needed. It is build in IPFire but it is commented in ROOTFILE so it is not presant in the main system.
  • Created a secret with oathtool with the following command
    oathtool -v --totp $(openssl rand -hex 15)
    in HEX and Base32 format. Both can be checked via commandline:
Hex secret: ec2eb5fed5a47ae460f492c6ed190d
Base32 secret: 5QXLL7WVUR5OIYHUSLDO2GIN

both should deliver the same PWD which can be checked for HEX via:
oathtool --totp ec2eb5fed5a47ae460f492c6ed190d
for Base32:
oathtool --totp -b 5QXLL7WVUR5OIYHUSLDO2GIN
both should display the same.

  • New directory /var/ipfire/ovpn/accounting/oath .
  • In there are two files, the first is ā€˜users_oathā€™ with the follwing content:
#PROTO		USER	-	SECRET				COUNTER	LASTOTP	TS
HOTP/T30	paterpan	-	024d3bd325ad769815ceb59ce4d8bf

and the second users_whitelist with the username(s):

paterpan
  • The PAM config was created under /etc/pam.d/openvpn-otp-oath with the following content:
# Check if the given username is in the list of allowed names
auth requisite pam_listfile.so file=/var/ipfire/ovpn/accounting/oath/users_whitelist item=user sense=allow onerr=fail
# Check for users' time-based One-Time Password from their OATH token device/app
auth requisite /usr/lib/security/pam_oath.so usersfile=/var/ipfire/ovpn/accounting/oath/users_oath window=10 digits=6

# Permit whitelisted usernames - if this is missing, getpwnam() will fail for non-system users
account sufficient pam_listfile.so file=/var/ipfire/ovpn/accounting/oath/users_whitelist item=user sense=allow onerr=fai
  • OpenVPN server.conf has been extended via ā€œAdditional configā€ with the following entry:
# Oathtool + PAM
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn-otp-oath"

and client.ovpn like before with:

#Username - Password Authentication
auth-user-pass

#Do not cache auth info
auth-nocache

Connection worked:

Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 peer info: IV_TCPNL=1
Mar 16 14:45:19 ipfire-server openvpn[28949]: PAM _pam_init_handlers: no default config other
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 TLS: Username/Password authentication succeeded for username 'paterpan' 
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: 192.168.123.4:49345 [oathtest] Peer Connection Initiated with [AF_INET]192.168.123.4:49345
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 OPTIONS IMPORT: reading client specific options from: /var/ipfire/ovpn/ccd/oathtest
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 MULTI_sva: pool returned IPv4=10.63.16.18, IPv6=(Not enabled)
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 MULTI: Learn: 10.63.16.18 -> oathtest/192.168.123.4:49345
Mar 16 14:45:19 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 MULTI: primary virtual IP for oathtest/192.168.123.4:49345: 10.63.16.18
Mar 16 14:45:20 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 PUSH: Received control message: 'PUSH_REQUEST'
Mar 16 14:45:20 ipfire-server openvpnserver[28948]: oathtest/192.168.123.4:49345 SENT CONTROL [oathtest]: 'PUSH_REPLY,route 10.63.16.1,topology net30,ping 10,ping-restart 60,redirect-gateway,route 192.168.234.0 255.255.255.0,dhcp-option DNS 192.168.123.1,dhcp-option DNS 192.168.234.1,ifconfig 10.63.16.18 10.63.16.17,peer-id 0' (status=1)

The difference:

  • Another PAM modul was needed.
  • This config includes currently no system users under passwd.
  • Only OTP for authentication needed with this config, no user password.

OTP can be checked via

watch oathtool --totp -b 5QXLL7WVUR5OIYHUSLDO2GIN

whereby every 30secĀ“s the OTP is changing.

To generate the QR-Code you would need libqrencode and e.g. the following command should it display:

qrencode -t ANSIUTF8 5QXLL7WVUR5OIYHUSLDO2GIN

Some more testings here.

Best,

Erik

3 Likes

Very impressive! I am so glad you understand this. It is miles over my head! :exploding_head:

Since we are all together we will get this miles over head much much closer to another :innocent: or in other words WWG1WGA :upside_down_face: .

Great that you are be here !

Best,

Erik

1 Like

Hi Erik,
Thanks for this part! Just tried to run it but as metioned missing the pam_listfile.so file.
Where would i get that is even possible?
Running ipfire 1.4.5.
Thanks,
Stephan.

Hi Stephan,
have uploaded it for you, you can find it in here --> https://people.ipfire.org/~ummeegge/oathtool/ . Home of ā€˜pam_listfile.soā€™ is under /lib/security/ . If you find some new configurations, it might be nice if you post them hereā€¦

Best,

Erik

1 Like

Hi Erik,
Thanks a lot, works like a charm.
Will let you (all) know when finding something interesting :+1:
Stephan

You guys have done very good job

Hi

Really nice work.
Is there plan to implement user password + OTP ?

Regards

Stefan

Use of the Android app FreeOTP is a kind feature on this one.

Hi,
currently not via WUI but may to ask for the google-authenticator-libpam as an addon with no further extensions.

Best,

Erik

That would be very good because of lack of 2FA without additional password

Very interesting development! Thanks for driving it as this raises security for OpenVPN on IPFire to a comfort level for the paranoids like myself. I am hesitant to try it based on this discussion only as my Linux experience is a little bit rusty. Is there a plan to summarize the configuration in a how-to style for dummies like myself? I am sure that would be a benefit for the community. Thank you.

1 Like

Hi thier28,

t thought this has been made above for both configurations :wink: ? In case of specific questions it might be easier to helpā€¦

Best,

Erik

Erik,
you convinced me - I will give it a try and come back in case of issues - might take a while though.
Best Regards,
Martin

Is there any new development? Probably for a 2FA gui?

I just successfully ā€œconfigured OpenVPN server to use TOTP in connection with username/password authentication ā€¦ā€ following your instructions, packages and expanded shell script.

  • I first got this how-to working: https://wiki.ipfire.org/configuration/services/openvpn/extensions/plugins/auth-pam .

  • I downloaded and installed the packages from: https://people.ipfire.org/~ummeegge/google-authenticator-openvpn/

  • I downloaded and ran the extended shell script and added users and then created the same users as road warriors in the ipFire OpenVPN web gui.

  • Advanced server setting enabled in ipFire OpenVPN gui.

  • The final step is not documentedā€¦ I had to change a line in the customized /etc/pam.d/openvpn from auth requisite /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/google-authenticator/${USER} user=gauth forward_pass debug
    to
    auth requisite /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/accounting/google-authenticator/${USER} user=gauth forward_pass debug

Thank you.
FYI, using ipFire 2.25 x86_64 Core Update 153.

2 Likes