OpenVPN OTP Authentication

barkingdoggy · 15 February 2021 13:01

I just implemented OpenVPN OTP Authentication again on another ipFire server. The issue where I needed to edit the path in the /etc/pam.d/openvpn has been “fixed” in the extended shell script, EXCEPT, the script now generates a file named /etc/pam.d/google-auth-openvpn. I renamed this file to /etc/pam.d/openvpn and everything worked.

barkingdoggy · 19 February 2021 14:23

To avoid random dropped VPN connections:

*Add the line “reneg-sec 0” without quotes to both the /var/ipfire/ovpn/scirpts/server.config.local and the client.config.local files. This will stop the default, 60 minute renegotiation period.

Figure out if the default MTU 1500 setting on the server is right for you. If not, this can cause problems and random dropped connections. It’s possible to set mssfix and fragment sizes in the Advanced Server Options. But I’m inclined to set this on the client side as different clients will need different mssfix/fragment sizes(?). Still struggling with this.

ummeegge · 19 February 2021 19:29

Hi barkingdoggy,
please keep in mind that you disable PFS with “reneg-sec 0” !

Best,

Erik

barkingdoggy · 19 February 2021 23:03

Interesting. Thanks. What if I make reneg-sec 28800 so people can work for up to 8 hours without dropping the VPN? Would that enable PFS? (I have a policy which disconnects the VPN if the machine goes to sleep (inactivity).)

ummeegge · 20 February 2021 06:50

Good morning,

i would set then the Perfect in brackets. The default for key renegotiation is 3600 sec or one hour for 128 bit block ciphers, for 64 bit block ciphers OpenVPN makes a renegotiation every 64 MB of data transfer, to give you an idea of how OpenVPN wants to secure the connection in that manner.
Your value would set the renegotiation of the session key to 480 minutes = 8 hours.

Modifying the reneg-sec value is a workaround there is may a better option for this, checkout ’ –auth-token token’ and ‘–auth-gen-token’, it might be a better opinion. Haven´t set it up myself so you would need to investigate it by your own, may someone else here can go for it too…

Best,

Erik

barkingdoggy · 22 February 2021 21:28

“I would set then the Perfect in brackets…” Is this a case where “perfect is the enemy of the good”? Everyone’s working from home these days, and my users don’t like having to sign in every hour.

ummeegge · 23 February 2021 06:13

Please reread what i am wrote above. I think you spend some time to get OTP to work so it might be worth but also possible to check also the second paragraph from here → OpenVPN OTP Authentication - #46 by ummeegge .

I think it makes not much sense to enable a security layer to nearly disable another one (SBO).

Best,

Erik

barkingdoggy · 23 February 2021 16:29

What is SBO? Synchronous Bandwidth Optimization?

My reluctance to implement '–auth-token token’ and ‘–auth-gen-token’ has to do with timing. It was a big effort to get ‘–auth-pam’ with TOTP up and running on the server and have users all update their configs and install Authy… I need to let things settle down before I make another big change.

I’m assuming there is no way to run both ‘–auth-pam’ and '–auth-token token’ or ‘–auth-gen-token’ on the server to allow testing and a slow roll-out to users of the second auth scheme if it works. Is that right?

ummeegge · 1 March 2021 15:57

Security By Obscurity.

I understand.

I don´t think so and i have also not read about such restrictions but again, haven´t read that much in depth according auth-token.

Best,

Erik

jcdup55 · 22 March 2021 07:57

Thanks everyone for this work!

I am keen to try this as well but it seems that the packages mentioned above no longer exist.

Doe anyone perhaps know where I can get them?

anon45931963 · 27 May 2021 03:53

@ummeegge is it still possible to do this? I try the links and many are 404

I found the gitlab repo above, when I clone the repo and run any off the install.sh files I get error:

Extracting files...
tar: /opt/pakfire/tmp/files*: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
...Finished.

ummeegge · 27 May 2021 07:44

Hi all,
@anon45931963 i have deleted it since it did not belong to the IPFire addons. Nevertheless, i can build it again since there are also updates for all packages, also the development of Oathtool has become fresh air which was not the case long time ago. Give me a little time and i come back with some packet updates.

Best,

Erik

anon45931963 · 8 June 2021 03:34

Hi Erik,

Sorry to be a pain, I downloaded the .ipfire files:

oath-toolkit-2.6.7-1.ipfire
google-auth-openvpn-1.09-1.ipfire
libqrencode-4.1.1-1.ipfire

however I can’t seem to find any method to install them.

Edit I managed to find this here and can see that tar xvf extracts the .ipfire file then i call install.sh and that seems to do it.

anon45931963 · 8 June 2021 08:15

Thanks all is working for me

The instructions that worked for me:

Download the two .ipfire packages onto IPFire device

cd ~
wget https://people.ipfire.org/~ummeegge/two_factor_auth/google-authenticator-openvpn/google-auth-openvpn-1.09-1.ipfire
wget https://people.ipfire.org/~ummeegge/two_factor_auth/google-authenticator-openvpn/libqrencode-4.1.1-1.ipfire

Install the two .ipfire packages:

cd /opt/pakfire/tmp
mv /root/google-auth-openvpn-1.09-1.ipfire /opt/pakfire/tmp/
tar xvf google-auth-openvpn-1.09-1.ipfire
sh install.sh
rm -rf *
mv /root/libqrencode-4.1.1-1.ipfire /opt/pakfire/tmp/
tar xvf libqrencode-4.1.1-1.ipfire
sh install.sh
rm -rf *

Create and edit /etc/pam.d/openvpn

nano /etc/pam.d/openvpn

#Google Authenticator
auth    requisite       /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/accounting/google-authenticator/${USER} user=gauth forward_pass debug

#Username/Password authentication
auth    required        pam_unix.so use_first_pass
account required        pam_unix.so

I add the following lines to both server.conf and server.user.conf:

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn
reneg-sec 0

I add following to client.user.conf:

auth-user-pass
reneg-sec 0

I then use the command google-auth-adduser to generate my user credentials, as it is creating a linux user it has to follow those rules (as I found out the hard way), as I am using certificate + TOTP authentication I am just using a blank password so the user is able to connect with just certificate + username + TOTP code

One thing I guess to know is that there is nothing stopping certificate and username + TOTP from mix and matching. So If I have a valid username + TOTP code I can login using any user’s certificate. I might need to look into pinning the TOTP to the certificate somehow if it is possible.

However this is working great thanks

Noting that I am disabling rekeying but I think that is ok, what is rekeying protecting against anyway? If attacker can find my key we have big problems anyway.

ummeegge · 9 June 2021 14:35

Hi Ian,
glad that it works.

anon45931963:

nano /etc/pam.d/openvpn

#Google Authenticator
auth    requisite       /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/accounting/google-authenticator/${USER} user=gauth forward_pass debug

#Username/Password authentication
auth    required        pam_unix.so use_first_pass
account required        pam_unix.so

the PAM file should normally part for the package

anon45931963:

I add the following lines to both server.conf and server.user.conf:
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn
reneg-sec 0
I add following to client.user.conf:
auth-user-pass
reneg-sec 0

you can use also /usr/bin/google-auth-adduser as a helper script to do this but i left reneg-sec 0 out.

You disabling PFS in that way. The DH-Parameter produces every 3600 sec´s (one hour) a new session key reneg-sec 0 disables this and you get one big session without rekeying .

Best,

Erik

anon45931963 · 9 June 2021 14:39

you get one big session without rekeying

Indeed, what’s your thoughts on this? I’m thinking that surely my 128bit AES key would be strong enough to last the session, what’s the worry that sees us needing to rekey so often?

ummeegge · 9 June 2021 14:45

One hour is a default value from OpenVPN, IPFire do not provides to change this directive via WUI. My thought for me would be to authenticate again after one hour to leave the security aspect, which PFS definitely is, in place.

Best,

Erik

barkingdoggy · 29 July 2021 13:07

Erik - I backed up and reloaded ipFire using the latest Core level, 158, because one of the partitions I had prior to reloading was full. After restoring backup, however, the OpenVPN Google Authenticator I installed in Feb/March stopped working. I want to get 2FA working again.

I read with interest that you provided Ian/anon45931963 some new ipfire packages that allowed him to implement 2FA with OpenVPN. When I try to follow his guide and use: wget https://people.ipfire.org/~ummeegge/two_factor_auth/google-authenticator-openvpn/google-auth-openvpn-1.09-1.ipfire I get a 404 error.

Can you provide the the files I need to use his guide and get 2FA working again. FYI, I’m happy to “buy you a coffee” for this.

barkingdoggy · 29 July 2021 19:01

FYI, the backup did not copy /usr/lib/security/pam_google_authenticator.so file, so after reinstalling ipFire and restoring the backup, my /var/log/messages file has errors saying it cannot find that .so file. I’m not sure how to get that back and working…

bonnietwin · 29 July 2021 19:09

Hi @barkingdoggy

It won’t have been included because it is not part of the standard IPFire fileset so the IPFire backup would not be aware of it.

If you want IPFire to backup other files that have been added/created then you can specify them in

/var/ipfire/backup/include.user

There is also an exclude.user in the same directory so you can include a whole directory and exclude a few specific files you don’t want backed up.