OpenVPN - Different Configuration Question

  • Hello there,


    at the moment I'm using OpenVPN AS. But there is the restriction of 2 users (I hope I understand this right). But now I want to use mor than 2 users. So I set up OpenVPN, it works very well.
    But now I have the following question: Is it possible to configure OpenVPN in that way, that it prompts for a password on user login, like OpenVPN AS does it?


    Thanks

  • Yes, you can.


    You must put into client config file

    Code
    # Uncomment to have the VPN client prompt for
    # a password. If authentication was not enabled
    # at the time this configuration file was
    # generated, this setting will be commented out
    auth-user-pass


    and into the server config file

    Code
    option auth_user_pass_verify '/etc/openvpn/pass.sh via-env'


    Into my vpn server the pass.sh is like


    I must to say that my OpenVPN server run under my OpenWrt Barrier Breaker 14.07-rc2 TP-Link TL-WR1043N/ND v2 router but it is Debian-like. All can be ligthly different X(

  • As ppfdez said, but for the server part, you will need to put the following in the 'extra options' of OpenVPN plugin:

    Code
    auth-user-pass-verify pass.sh via-env
    script-security 3


    pass.sh should also be executable

    Code
    chmod +x /etc/openvpn/pass.sh
    • Offizieller Beitrag

    But openvpn comes with a PAM, maybe it can work against the omv user list.


    Pretty sure I did some testing with this last year with this


    Edit:


    In the extra options

    Code
    plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login 
    tmp-dir "/etc/openvpn/tmp/"


    The ovpn pam is located at /usr/lib/openvpn/openvpn-auth-pam.so so you need to copy to the openvpn folder
    Also you need to make the temp dir and set it to 777


    This config is on top of cert/key, so you still need them.


    The reference comes from here http://www.slsmk.com/openvpn-w…-password-authentication/


    Just did some fast testing, and it works

  • Awsome information subzero79!


    I banged my head last night trying to make a script which check username/password with pwauth until I found out that only www-data (or root) is allowed to run pwauth (which is hard-coded into pwauth). Since I did not want to re-compile pwauth, I gave up.


    The plugin method is so much easier. In the end, to sum up, the server only need the following in the Extra field:

    Code
    plugin /usr/lib/openvpn/openvpn-auth-pam.so login


    (I think it also makes it more secure since nothing is written on disk, even temporarily)


    And on client side, the following needs to be added to the config file:

    Code
    auth-user-pass
  • Thanks to all people for the hints! It works fine now.
    A checkbox I also would appreciate.
    If you change something on the Plugin, I have to other things that could be changed (which are not urgent):
    1. Add an option to route traffic from VPN to LAN (push route in openvpn, allow ip4forward in sysctl,...)
    2. If I enter a Common Name with space for the cert, my Android OpenVPN client couldn't load profile. If there is an easy way, it would be nice to forbid spaces, or all special chars.



    Btw: Where could I like a post? I only see a "dislike" Button

  • 1. This is already implemented via the Default Gateway option.
    2. Thanks for reporting this. I'll see what I can do.


    Btw: when I pass my mouse over the bottom right of each post I see five buttons: quote, report, like, dislike, go to top.

  • Ok, the first thing doesn't work for me. The default gateway was activated, but I only could reach the VPN Server itself, no other clients and so on.
    To reach from the VPN the LAN, I have to add to the vpn server config

    Code
    push "route ip netmask"

    , activate the ip4 forwarding in sysctl and in my router I have to add a static route (OK, this part couldn't be done by the plugin, but a hint or so would be nice).


    Btw: This seems to be like another problem only I have :) I only see ther quote, report, dislike, go to top.

  • If Default Gateway option is checked, all network traffic of the client (including internet) will be routed to the VPN Server, via the following parameter in the config file:

    Code
    push "redirect-gateway def1 bypass-dhcp"


    If Default Gateway option is not checked, a route to the private network (i.e. your LAN where you NAS is located, in most cases something like 192.168.1.0/24), is pushed to the client. In this case, only the traffic to that specific network is routed to the VPN Server, the remaining traffic is routed to the default gateway of the client. This is done via the following parameter in the config file:

    Code
    push "route 192.168.1.0 255.255.255.0"


    These are mutually exclusive, but in any cases traffic from client to private LAN should be routed to the VPN server. And btw, whichever option you choose, the ip forwarding is enabled in sysctl.


    After looking into this, it may be because the iptables NAT rules are not applied on startup (I saw an error in openvpn mkconf script). If you start-up your NAS, the iptables rules will not be applied until you do and apply a configuration modification to the openvpn plugin via webgui.
    Thanks to you, that's one more to the bugfix list :D

    • Offizieller Beitrag

    My actual vpn sits on top of my home router (openwrt). It acts by default as traffic forward (def1), but in my clients I have two separate configs. The default one connects and tunnels all internet traffic, the second one annuls the def1 directive so I can only access the remote LAN resources.


    My second config (annul def1) uses the following directives after the usual


    Code
    route-nopull
    redirect-gateway def1
    route 0.0.0.0 192.0.0.0 net_gateway
    route 64.0.0.0 192.0.0.0 net_gateway
    route 128.0.0.0 192.0.0.0 net_gateway
    route 192.0.0.0 192.0.0.0 net_gateway
    route 10.10.10.0 255.255.255.0
    route 172.22.0.0 255.255.255.0


    Those are take from the openvpn doc website. So i was thinking as an improvement to add a checkbox to the certificate items to config the bundle as this (no redirect traffic and only available if the in the general redirect gateway is checked)


    Another improvement has to do with the bundle file (zip with certs, keys and conf), just to use a single config file (.ovpn extension) with the embedded certificates and keys like this:


    The text has been trimmed, for obvious reasons



    In some clients just a double click will install it.

  • Those are take from the openvpn doc website. So i was thinking as an improvement to add a checkbox to the certificate items to config the bundle as this (no redirect traffic and only available if the in the general redirect gateway is checked)


    That seems pretty confusing. I'm not sure that I exactly get what you want. If the purpose is to make different client configuration that coexist with each others, I think having an extra field which can be freely populated for each certificate entry is preferable. This way it would be less confusing for the end-user: one unique configuration/behaviour for each clients, and the possibility for 'power-users' to customize/tune a specific client. This evolution doesn't look easy from my bad developer skill point of view.



    Another improvement has to do with the bundle file (zip with certs, keys and conf), just to use a single config file (.ovpn extension) with the embedded certificates and keys like this:
    [...]
    In some clients just a double click will install it.


    May be another time ;) . From a quick look perspective, it would require quite some changes.


    On a side note, I just submitted a pull requested with the following changes:


    * Fixed cannot input domain in 'DNS search domain' field
    * Fixed cannot input multiple entries separated with commas
    * Fixed log entries missing for date from 1 to 9
    * Restricted 'Common Name' field in certificate tab to alphanum
    * Fixed iptables rule not added upon boot/reboot
    * Refined iptables to remove previous rule before adding new rule
    * Added 'PAM authentication' checkbox


    We'll need to wait for the pull request to be reviewed and accepted, then wait for the plugin to be released.

    • Offizieller Beitrag

    Yes is a little bit confusing. Maybe leave the way it is. I was imaging some people coming after the plugin an asking to launch another instance for traffic redirecting only. When the same can be achieved with one instance.
    The second item take it from the point of view of someone who doesn't know anything about openvpn, I remember the first time I saw the certs and keys I didn't understand anything.

    • Offizieller Beitrag

    We'll need to wait for the pull request to be reviewed and accepted, then wait for the plugin to be released.


    I think it needs a quick fix, the mkconf is pointing to a net rule in the wrong folder. The deb openvpn package installs to /etc/network/if-up.d/, so the installer should copy the files or copy them at enable.



    edit: in the meantime just copy the file to the folder


    and also this problem came, I think is the delete chain rule.


  • I think it needs a quick fix, the mkconf is pointing to a net rule in the wrong folder. The deb openvpn package installs to /etc/network/if-up.d/, so the installer should copy the files or copy them at enable.


    No, we create that file ourselves when the initial setup is run. Which is also the cause of the issue.


    I just updated the plugin on my test vm and didn't run into any issue.


    On what occasion did you get the error, upon plugin installation?


    Since we create that file, the issue is that the first time we run the setup that file doesn't exist, which in turn means that you're trying to run tail on a non existing file. Why do we need to delete the last rule in that file (which is what you're doing from my understanding)? I don't know since you added it :)

  • Ok I reproduced the issue. It indeed happens on initial setup because the file is not created.


    For the story, I added that line to delete the previous iptables nat rule because everytime a change is made (and saved), the nat rule was added, whether or not you change the VPN subnet. For instance, if you do 10 configuration changes, you will end up with 10 iptables line in the nat table (and it could be the same that appears 10 times if you did not change the VPN subnet).


    As a quick fix, in the /usr/share/openmediavault/mkconf/openvpn replace the following line:

    Code
    iptables -t nat -D $(tail -1 ${SERVICE_IPTABLES_CONF} | cut -c20-)


    By this:

    Code
    if [ -f ${SERVICE_IPTABLES_CONF} ]; then
     iptables -t nat -D $(tail -1 ${SERVICE_IPTABLES_CONF} | cut -c20-)
     fi


    This should check first if the file exists before running the deletion of the iptables rule. You can also remove/comment that line and you will have the same behavior as before (i.e. iptables rule added everytime a configuration change is made to openvpn).

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!