Page MenuHomeVyOS Platform
Create Task
Maniphest T190

two factor authentication for OpenVPN remote VPN tunnels
Open, WishlistPublicFEATURE REQUEST
Actions

Description

add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.

Details

Difficulty level
Hard (possibly days)
Version
1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Alexander4791 created this task.Nov 10 2016, 6:09 AM
dmbaturin added a comment.Nov 10 2016, 8:25 AM

Hi Alex,

Do you have links to the relevant plugins, and configuration examples?
Do you also have any ideas for the CLI?

syncer added a project: VyOS 1.1.x (1.1.8).Nov 10 2016, 9:27 AM
syncer added a subscriber: VyOS 1.1.x (1.1.8).
jhendryUK added a subscriber: jhendryUK.EditedNov 10 2016, 10:24 AM

We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:

openvpn-option "auth-user-pass-verify /config/auth/auth-ldap.pl via-file"

The LDAP auth requires these packages:
libnet-ldap-perl_0.4400-1_all.deb
libconvert-asn1-perl_0.26-1_all.deb

amos.shapira added a subscriber: amos.shapira.Nov 10 2016, 11:25 AM

This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at https://foxpass.readme.io/docs/vyatta-vyos-ubiquity-vpn-clients
It would be nice to have this change possible via an option.

jhendryUK added a comment.Nov 12 2016, 12:23 PM

Here is a sanitised copy of the auth-ldap script. I never wrote it! Its just what we use :) It will need modifying to work

vyos-auth-ldap.pl1 KBDownload

fatihusta added a subscriber: fatihusta.EditedNov 14 2016, 4:44 PM

Hi
I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.

Doc
https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

Sample test config and python script

https://gist.github.com/selvanair/b31ec6d5873e2ffc141ec680fca69254

Edit: another example

ftp://190.223.63.92/proc/self/root/usr/local/openvpn_as/doc/post_auth/pascr.py

ftp://190.223.63.92/proc/self/root/usr/local/openvpn_as/doc/post_auth/post_auth.txt

syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x (1.1.8).Dec 14 2016, 6:34 PM
syncer edited subscribers, added: VyOS 1.2 Crux; removed: jhendryUK, VyOS 1.1.x (1.1.8).
dmbaturin moved this task from Need Triage to Wishlist on the VyOS 1.2 Crux board.May 24 2018, 6:17 PM
syncer lowered the priority of this task from Normal to Wishlist.Oct 13 2018, 9:56 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM
pasik added a subscriber: pasik.Mar 8 2019, 10:20 PM
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:59 AM
erkin set Issue type to Feature (new functionality).
UnicronNL claimed this task.Sep 5 2021, 1:48 PM
UnicronNL added a subscriber: dmbaturin.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:06 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:45 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:31 PM