add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.
Description
Details
- Difficulty level
- Hard (possibly days)
- Version
- 1
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Feature (new functionality)
Related Objects
- Mentioned Here
- T3834: [OPENVPN] Support for Two Factor Authentication totp.
Event Timeline
Hi Alex,
Do you have links to the relevant plugins, and configuration examples?
Do you also have any ideas for the CLI?
We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:
openvpn-option "auth-user-pass-verify /config/auth/auth-ldap.pl via-file"
The LDAP auth requires these packages:
libnet-ldap-perl_0.4400-1_all.deb
libconvert-asn1-perl_0.26-1_all.deb
This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at https://foxpass.readme.io/docs/vyatta-vyos-ubiquity-vpn-clients
It would be nice to have this change possible via an option.
Here is a sanitised copy of the auth-ldap script. I never wrote it! Its just what we use :) It will need modifying to work
Hi
I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.
Doc
https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
Sample test config and python script
https://gist.github.com/selvanair/b31ec6d5873e2ffc141ec680fca69254
Edit: another example
ftp://190.223.63.92/proc/self/root/usr/local/openvpn_as/doc/post_auth/pascr.py
ftp://190.223.63.92/proc/self/root/usr/local/openvpn_as/doc/post_auth/post_auth.txt
It seems we already have mfa T3834 but it never was documented
https://github.com/vyos/vyos-1x/pull/1008
vyos@r4# set interfaces openvpn vtun0 server mfa totp Possible completions: challenge Expect password as result of a challenge response protocol (default: enable) digits Number of digits to use for totp hash (default: 6) drift Time drift in seconds (default: 0) slop Maximum allowed clock slop in seconds (default: 180) step Step value for totp in seconds (default: 30)
LDAP described there https://docs.vyos.io/en/sagitta/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.html