OpenVPN + LDAP + MFA

kmere

Junior Member

Join Date: Aug 2024
Posts: 2

2024-08-31, 05:58 AM

For the last days I have been struggling to add MFA on my existing OpenVPN Setup.
Existing setup works fine with LDAP and tested using any of the two most common modules:

Code:

openvpn-plugin-auth-pam.so
openvpn-auth-ldap.so

My default setup uses the openvpn-auth-ldap.so module.

I am trying to add MFA support using OTP, so I installed libpam-oath and oathtool

After creating my secret by using

Code:

 openssl rand -hex 64 | sha1sum | cut -d' ' -f1

I created /etc/users.oath file as follwing:

Code:

#type username pin secret-hash
HOTP/T30/6 edumeres - 59640b7a353897bd63ea6d695016e313f17c4d0a

and edit /etc/pam.d/openvpn usaing this single line

Code:

#OTP Authenticator
auth requisite pam_oath.so usersfile=/etc/users.oath window=30 digits=6

and added
openvpn-plugin-auth-pam.so plugin to my server.conf:

Code:

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

Testing OTP functionality:

Code:

sudo pamster openvpn edumeres authenticate
One-time password (OATH) for `edumeres':
pamtester: successfully authenticated

getent also gets my LDAP user:

Code:

getent passwd | grep edumeres
edumeres:*:266736:266737:edumeres::

I can also succesfully authenticate with this user by SSH on my server, so I assume PAM + LDAP authentication is working fine.

Regarding OpenVPN config:
server.conf

Code:

dev tun
proto tcp-server
port 1194

management 127.0.0.1 1443
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist pool-persist-tun

dh keys/dh2048.pem
ca ca.crt
cert cert.crt
key key.key

keepalive 10 30
persist-key
persist-tun
compress migrate
script-security 2
mute-replay-warnings
verify-client-cert none
username-as-common-name
client-config-dir clients

verb 5
#setenv verb 9

auth-gen-token 43200
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

client.conf

Code:

dev tun

remote vpn.example.com 1194 tcp-client
pull
tls-client
ca ca.crt
verify-x509-name vpn.example.com name
mute-replay-warnings
route-method exe
route-delay 2
auth-user-pass
static-challenge "Enter your OTP" 1
script-security 2

verb 3

On my Windows client, by using static-challenge, I get an extra box where I enter my OTP
Connection fails:
sorry, for some reason, I cannot paste the log here, so I pasted here: https://pastebin.com/UdvJUErF

Last edited by kmere; 2024-08-31, 06:00 AM.

Tags: None

kmere

Junior Member

Join Date: Aug 2024

Posts: 2
Share

Tweet
#2

2024-08-31, 09:56 AM

It seems that when using both plugins

Code:

openvpn-plugin-auth-pam.so openvpn-auth-ldap.so

auth-ldap plugin fails to authenticate for some reason.

I managed to get it working by using only the auth-pam module by making these two modifications:

/etc/pam.d/openvpn

Code:

#LDAP Authentication auth required pam_ldap.so #OTP Authentication auth requisite pam_oath.so debug usersfile=/etc/users.oath window=30 digits=6 account required pam_ldap.so account sufficient pam_permit.so

server.conf

Code:

#Not used anymore: #plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/ldap.conf #plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP" plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD One-time OTP"

The problem was that apart from the auth-ldap module failing to succeed to authenticate LDAP, auth-pam was also failing to verify the OTP.
I had to change "pin" to "One-time" in the module config as pam-oath queries for "query='One-time password (OATH) for `edumeres': ' style=1", so "pin" did not match the query of the module.
Comment

OpenVPN + LDAP + MFA

OpenVPN + LDAP + MFA

Comment