I just implemented OpenVPN OTP Authentication again on another ipFire server. The issue where I needed to edit the path in the /etc/pam.d/openvpn has been “fixed” in the extended shell script, EXCEPT, the script now generates a file named /etc/pam.d/google-auth-openvpn. I renamed this file to /etc/pam.d/openvpn and everything worked.
*Add the line “reneg-sec 0” without quotes to both the /var/ipfire/ovpn/scirpts/server.config.local and the client.config.local files. This will stop the default, 60 minute renegotiation period.
Figure out if the default MTU 1500 setting on the server is right for you. If not, this can cause problems and random dropped connections. It’s possible to set mssfix and fragment sizes in the Advanced Server Options. But I’m inclined to set this on the client side as different clients will need different mssfix/fragment sizes(?). Still struggling with this.
Interesting. Thanks. What if I make reneg-sec 28800 so people can work for up to 8 hours without dropping the VPN? Would that enable PFS? (I have a policy which disconnects the VPN if the machine goes to sleep (inactivity).)
i would set then the Perfect in brackets. The default for key renegotiation is 3600 sec or one hour for 128 bit block ciphers, for 64 bit block ciphers OpenVPN makes a renegotiation every 64 MB of data transfer, to give you an idea of how OpenVPN wants to secure the connection in that manner.
Your value would set the renegotiation of the session key to 480 minutes = 8 hours.
Modifying the reneg-sec value is a workaround there is may a better option for this, checkout ’ –auth-token token’ and ‘–auth-gen-token’, it might be a better opinion. Haven´t set it up myself so you would need to investigate it by your own, may someone else here can go for it too…
“I would set then the Perfect in brackets…” Is this a case where “perfect is the enemy of the good”? Everyone’s working from home these days, and my users don’t like having to sign in every hour.
Please reread what i am wrote above. I think you spend some time to get OTP to work so it might be worth but also possible to check also the second paragraph from here → OpenVPN OTP Authentication - #46 by ummeegge .
I think it makes not much sense to enable a security layer to nearly disable another one (SBO).
My reluctance to implement '–auth-token token’ and ‘–auth-gen-token’ has to do with timing. It was a big effort to get ‘–auth-pam’ with TOTP up and running on the server and have users all update their configs and install Authy… I need to let things settle down before I make another big change.
I’m assuming there is no way to run both ‘–auth-pam’ and '–auth-token token’ or ‘–auth-gen-token’ on the server to allow testing and a slow roll-out to users of the second auth scheme if it works. Is that right?
Hi all, @anon45931963 i have deleted it since it did not belong to the IPFire addons. Nevertheless, i can build it again since there are also updates for all packages, also the development of Oathtool has become fresh air which was not the case long time ago. Give me a little time and i come back with some packet updates.
Download the two .ipfire packages onto IPFire device
cd ~
wget https://people.ipfire.org/~ummeegge/two_factor_auth/google-authenticator-openvpn/google-auth-openvpn-1.09-1.ipfire
wget https://people.ipfire.org/~ummeegge/two_factor_auth/google-authenticator-openvpn/libqrencode-4.1.1-1.ipfire
Install the two .ipfire packages:
cd /opt/pakfire/tmp
mv /root/google-auth-openvpn-1.09-1.ipfire /opt/pakfire/tmp/
tar xvf google-auth-openvpn-1.09-1.ipfire
sh install.sh
rm -rf *
mv /root/libqrencode-4.1.1-1.ipfire /opt/pakfire/tmp/
tar xvf libqrencode-4.1.1-1.ipfire
sh install.sh
rm -rf *
I then use the command google-auth-adduser to generate my user credentials, as it is creating a linux user it has to follow those rules (as I found out the hard way), as I am using certificate + TOTP authentication I am just using a blank password so the user is able to connect with just certificate + username + TOTP code
One thing I guess to know is that there is nothing stopping certificate and username + TOTP from mix and matching. So If I have a valid username + TOTP code I can login using any user’s certificate. I might need to look into pinning the TOTP to the certificate somehow if it is possible.
However this is working great thanks
Noting that I am disabling rekeying but I think that is ok, what is rekeying protecting against anyway? If attacker can find my key we have big problems anyway.
you can use also /usr/bin/google-auth-adduser as a helper script to do this but i left reneg-sec 0 out.
You disabling PFS in that way. The DH-Parameter produces every 3600 sec´s (one hour) a new session key reneg-sec 0 disables this and you get one big session without rekeying .
Indeed, what’s your thoughts on this? I’m thinking that surely my 128bit AES key would be strong enough to last the session, what’s the worry that sees us needing to rekey so often?
One hour is a default value from OpenVPN, IPFire do not provides to change this directive via WUI. My thought for me would be to authenticate again after one hour to leave the security aspect, which PFS definitely is, in place.
Erik - I backed up and reloaded ipFire using the latest Core level, 158, because one of the partitions I had prior to reloading was full. After restoring backup, however, the OpenVPN Google Authenticator I installed in Feb/March stopped working. I want to get 2FA working again.
I read with interest that you provided Ian/anon45931963 some new ipfire packages that allowed him to implement 2FA with OpenVPN. When I try to follow his guide and use: wget https://people.ipfire.org/~ummeegge/two_factor_auth/google-authenticator-openvpn/google-auth-openvpn-1.09-1.ipfire I get a 404 error.
Can you provide the the files I need to use his guide and get 2FA working again. FYI, I’m happy to “buy you a coffee” for this.
FYI, the backup did not copy /usr/lib/security/pam_google_authenticator.so file, so after reinstalling ipFire and restoring the backup, my /var/log/messages file has errors saying it cannot find that .so file. I’m not sure how to get that back and working…