evgeny-gridasov / openvpn-otp Goto Github PK
View Code? Open in Web Editor NEWOpenVPN OTP token support plugin
License: GNU General Public License v3.0
OpenVPN OTP token support plugin
License: GNU General Public License v3.0
Is it possible to use openvpn-otp plugin with certificate based auth (tls-auth)
I managed to install this plugin to my server but now I cannot log in while it is enabled. Could it be that otp does not work alongside with user key files?
Or maybe I am doing something wrong with the google auth key.
I understand from the readme, that in the /etc/ppp/otp-secrets file the key needs to be put in base32 format.
What about in the google auth app? base32 or plain?
Also, does the key need to have a specific length?
Hello,
I'm trying to make this work with Google Authenticator and HOTP type and it looks like counter writed to /var/spool/openvpn/hotp-counters/* is calculated incorrectly - on every authentication attempt the counter is decremented(-1) instead of being incremented(+1). Could you please check this?
Thank you!
Hello!
First of all, thanks for the plugin and all the work you're putting into it. It's much appreciated.
With that being said, I'd like to ask if it would be possible for you to add an option (e.g. in the otp_secrets
file) that would allow me to tell the plugin that this particular user doesn't require token auth. The thing is, I have a bunch of different devices connecting to my server. Some of them are other servers and there's no way for me to enter OTPs when they connect to the VPN. OTOH, I have devices like my phone that would greatly benefit from OTPs.
In any case, thanks again for the plugin and have a nice day :).
The following files are licensed under Apache-2.0:
The Apache-2.0 license requires that a copy is given to "any other recipients of the Work or Derivative Works".
Please add a copy of the corresponding license file to this repository.
So I am a no expert on OpenVPN I just followed this nice tutorial to set my VPN https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 and then added OTP support via your plugin. Everything works great. However, I have notice one issue. I would like to use an OTP only on a certain key or certificate for a given client, currently the configuration in otp-secrets is kind of global and can unlock every key and certificate for a given client. Here is an example of what i mean:
Lets say we want to have 2 users on our VPN called of course Alice and Bob. So we generate a certificate for each of them and we distribute alice.crt and alice.key to Alice and give bob.crt and bob.key to Bob. Then we crate an OTP entry for Bob and Alice in otp-secrets and they can login with their TOTPs using Google Authenticator. Great. However, if for some reason Alice gets a hold of bob.crt and bob.key she can still use her TOTP and not Bob's one to authenticate. So IMHO this is an issue and the TOTP secret in the otp-secrets file should only be bound to a certificate and a key. Or at least we should be able to specify for which user in the otp-secrets which certificates are available.
Have modified an existing OpenVPN install and followed the install process for openvpn-otp
.
How do I generate values for the opt-secrets
"key" (token?), and how do I link it to Google Authenticator on my phone?
Would like to use "sha1/base32 for Google Authenticator with a simple pin".
10.0.19.23:47776 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.19.23:47776
10.0.19.23:47776 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.19.23:47776 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
10.0.19.23:47776 TLS Auth Error: Auth Username/Password verification failed for peer
10.0.19.23:47776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
10.0.19.23:47776 Peer Connection Initiated with [AF_INET]10.0.19.23:47776
10.0.19.23:47776 PUSH: Received control message: 'PUSH_REQUEST'
10.0.19.23:47776 Delayed exit in 5 seconds
10.0.19.23:47776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
10.0.19.23:47776 Connection reset, restarting [0]
10.0.19.23:47776 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP connection established with [AF_INET]10.0.19.23:47810
10.0.19.23:47810 TLS: Initial packet from [AF_INET]10.0.19.23:47810, sid=6b61e65e f000465b
Will this work on freebsd?
/tmp/cc6coz4M.o: In function `main':
/*/xxx/openvpn-otp/conftest.c:34: undefined reference to `HMAC_CTX_init'
collect2: error: ld returned 1 exit status
configure:16580: $? = 1
HMAC_CTX_init() was replaced with HMAC_CTX_reset() in OpenSSL versions 1.1.0.
Hi, this work looks great! I'm looking to set up OpenVPN with both LDAP and Yubikey support (and optionally Google Auth). This plugin looks almost close enough for my needs. Is it possible to use with a Yubikey directly, or would more development be necessary? If work is needed, would it be easier to execute an external script (which I already have working) with the username + OTP to return valid or not?
Hi,
SHA1 is being deprecated in most places. Are there plans to support SHA2?
Thanks!
The openvpn RPM shipped with EPEL for CentOS7 places openvpn-plugin.h in /usr/include.
# ./configure --prefix=/usr
...
checking openvpn/openvpn-plugin.h usability... no
checking openvpn/openvpn-plugin.h presence... no
checking for openvpn/openvpn-plugin.h... no
configure: error: OpenVPN headers missing
Quick fix
# rpm -ql openvpn |grep openvpn-plugin.h
/usr/include/openvpn-plugin.h
# mkdir /usr/include/openvpn
# ln -sf /usr/include/openvpn-plugin.h /usr/include/openvpn/
Should something like this be mentioned within the README?
The following files are licensed under APSL-2.0:
The APSL-2.0 license requires that a copy is distributed "with every copy of Source Code of Covered Code and documentation You distribute or Externally Deploy".
Please add a copy of the corresponding license file to this repository.
Add support for connection renegotiation with auth-token support. This needs:
push "auth-token UNIQUE_TOKEN_VALUE"
in the file/buffer for dynamic configuration data.
See: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
I would like to vote to make the PIN optional. I use OTP daily with Google, AWS, etc. and none of them require a separate PIN. It's not a huge deal, but it would be great if the PIN could be optional.
To ease building package to each distribution, below a sample docker debian:latest compilation workflow. Can be extend to other system. Tested with Debian (buster) and Ubuntu (focal).
$ git clone https://github.com/evgeny-gridasov/openvpn-otp
Debian:
$ docker run -v $(pwd)/openvpn-otp:/openvpn-otp -it debian bash
Ubuntu:
$ docker run -v $(pwd)/openvpn-otp:/openvpn-otp -it ubuntu bash
# apt update
# apt upgrade
# apt install openvpn autoconf automake libtool libssl-dev make
# cd /openvpn-otp
# ./autogen.sh
# ./configure --prefix=/usr --disable-dependency-tracking
# make install
# ls src/.libs/openvpn-otp.*
src/.libs/openvpn-otp.la src/.libs/openvpn-otp.lai src/.libs/openvpn-otp.so
$ mkdir -p /usr/lib/openvpn/
$ cp src/.libs/openvpn-otp.* /usr/lib/openvpn/
This looks really interesting!
Before I upgrade my server though, I would like to know:
Does each client have to support this login method specifically or is it delivered through a generic password prompt?
I access my server via the openvpn android app a lot so this would need to be compatible for me.
Thanks for clarifing!
Hi,
Not reporting a bug - more of a support request.
I have OpenVPN set up with LDAP authentication and now openvpn-otp - but I can only use one at a time.
plugin /usr/lib/openvpn/openvpn-otp.so "debug=1"
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
Rather than having the PIN/password listed in the opt-secrets file I would rather they entered their LDAP password with their OTP token. Or enter their LDAP username and password first and then be prompted fort eh OTP. I can't see a way to do this so I would appreciate any feedback/discussion. Cheers,
jonny
Hello,
Is there a way to support scratch codes generated by google authenticator?
Hello,
I'm trying to set this up on pfSense. I managed to get it compiled and loaded, but all I'm ever getting are failed authentications. Is there some way to increase log verbosity so I can see what's going on? It would be very useful if this plugin could log (temporarily) what passwords it expects and which ones it receives.
Thanks!
Compiling openvpn-otp against OpenSSL 3.0 results in various deprecation warnings:
otp.c: In function 'otp_verify':
otp.c:415:13: warning: 'HMAC_CTX_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
415 | HMAC_CTX* hmac = HMAC_CTX_new();
| ^~~~~~~~
In file included from otp.c:22:
/usr/include/openssl/hmac.h:33:33: note: declared here
33 | OSSL_DEPRECATEDIN_3_0 HMAC_CTX *HMAC_CTX_new(void);
| ^~~~~~~~~~~~
otp.c:440:17: warning: 'HMAC_CTX_reset' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
440 | HMAC_CTX_reset(hmac);
| ^~~~~~~~~~~~~~
/usr/include/openssl/hmac.h:34:27: note: declared here
34 | OSSL_DEPRECATEDIN_3_0 int HMAC_CTX_reset(HMAC_CTX *ctx);
| ^~~~~~~~~~~~~~
otp.c:441:17: warning: 'HMAC_Init_ex' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
441 | HMAC_Init_ex(hmac, otp_key, key_len, otp_digest, NULL);
| ^~~~~~~~~~~~
/usr/include/openssl/hmac.h:43:27: note: declared here
43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
| ^~~~~~~~~~~~
otp.c:442:17: warning: 'HMAC_Update' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
442 | HMAC_Update(hmac, (uint8_t *)&Tn, sizeof(Tn));
| ^~~~~~~~~~~
/usr/include/openssl/hmac.h:45:27: note: declared here
45 | OSSL_DEPRECATEDIN_3_0 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
| ^~~~~~~~~~~
otp.c:443:17: warning: 'HMAC_Final' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
443 | HMAC_Final(hmac, mac, &maclen);
| ^~~~~~~~~~
/usr/include/openssl/hmac.h:47:27: note: declared here
47 | OSSL_DEPRECATEDIN_3_0 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
| ^~~~~~~~~~
otp.c:466:13: warning: 'HMAC_CTX_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
466 | HMAC_CTX_free(hmac);
| ^~~~~~~~~~~~~
/usr/include/openssl/hmac.h:35:28: note: declared here
35 | OSSL_DEPRECATEDIN_3_0 void HMAC_CTX_free(HMAC_CTX *ctx);
| ^~~~~~~~~~~~~
otp.c:471:13: warning: 'HMAC_CTX_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
471 | HMAC_CTX* hmac = HMAC_CTX_new();
| ^~~~~~~~
/usr/include/openssl/hmac.h:33:33: note: declared here
33 | OSSL_DEPRECATEDIN_3_0 HMAC_CTX *HMAC_CTX_new(void);
| ^~~~~~~~~~~~
otp.c:493:19: warning: 'HMAC_CTX_reset' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
493 | HMAC_CTX_reset(hmac);
| ^~~~~~~~~~~~~~
/usr/include/openssl/hmac.h:34:27: note: declared here
34 | OSSL_DEPRECATEDIN_3_0 int HMAC_CTX_reset(HMAC_CTX *ctx);
| ^~~~~~~~~~~~~~
otp.c:494:19: warning: 'HMAC_Init_ex' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
494 | HMAC_Init_ex(hmac, otp_key, key_len, otp_digest, NULL);
| ^~~~~~~~~~~~
/usr/include/openssl/hmac.h:43:27: note: declared here
43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
| ^~~~~~~~~~~~
otp.c:495:19: warning: 'HMAC_Update' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
495 | HMAC_Update(hmac, (uint8_t *)&Tn, sizeof(Tn));
| ^~~~~~~~~~~
/usr/include/openssl/hmac.h:45:27: note: declared here
45 | OSSL_DEPRECATEDIN_3_0 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
| ^~~~~~~~~~~
otp.c:496:19: warning: 'HMAC_Final' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
496 | HMAC_Final(hmac, mac, &maclen);
| ^~~~~~~~~~
/usr/include/openssl/hmac.h:47:27: note: declared here
47 | OSSL_DEPRECATEDIN_3_0 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
| ^~~~~~~~~~
otp.c:521:13: warning: 'HMAC_CTX_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
521 | HMAC_CTX_free(hmac);
| ^~~~~~~~~~~~~
/usr/include/openssl/hmac.h:35:28: note: declared here
35 | OSSL_DEPRECATEDIN_3_0 void HMAC_CTX_free(HMAC_CTX *ctx);
| ^~~~~~~~~~~~~
It's a bit disappointing to see plaintext password storage in 2021, eg:
alice otp totp:sha1:base32:46HV5FIYE33TKWYP:5uP3rH4x0r:xxx *
It should be relatively simple to shim in crypt-compatible hashing, eg:
alice otp totp:sha1:base32:46HV5FIYE33TKWYP:$2y$10$HM6II7ESXVFq1XaylSa1R.8rNEhhlY4r74tRNFxIzWt94wyjJlDFW:xxx *
Setting your tunnel to never renegotiate is a security problem for long-running tunnels, and OpenVPN added the auth-gen-token
config parameter specifically for cases like OTP authentication. In short, after authentication OpenVPN will generate a token to be used for renegotiation in place of re-sending the username and password.
Please add a mention of auth-gen-token
for OpenVPN >= 2.4 in the README.
It would be nice to disable OTP for a given user.
For example in otp-secrets:
myuser otp disabled *
Thank you.
Good day. I receive this error after run openvpn server with plugin openvpn-otp:
/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --reneg-sec 86400 --cd /etc/openvpn --config /etc/openvpn/server.conf
/var/log/openvpn/openvpn-server.log <==
Mon Aug 17 15:15:18 2020 PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/openvpn-otp.so: /usr/lib/openvpn/openvpn-otp.so: undefined symbol: EVP_MD_CTX_free: No such file or directory (errno=2)
Mon Aug 17 15:15:18 2020 Exiting due to fatal error
Server config:
/etc/openvpn/server.conf:
...
plugin "/usr/lib/openvpn/openvpn-otp.so" otp_secrets=/etc/openvpn/otp_secrets
Verion OS: Debian GNU/Linux 9.12 (stretch)
openvpn-otp build as debian package.
dpkg -l | grep openvp
ii openvpn 2.4.8-stretch0 amd64 virtual private network daemon
ii openvpn-otp 1.0-1~stretch amd64 This plug-in adds support for time based OTP (totp) and HMAC
dpkg -L openvpn-otp
/usr/lib/openvpn/openvpn-otp.la
/usr/lib/openvpn/openvpn-otp.so
dpkg -l | grep ssl
ii libssl-dev:amd64 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - development files
ii libssl-doc 1.1.0l-1~deb9u1 all Secure Sockets Layer toolkit - development documentation
ii libssl1.0.2:amd64 1.0.2u-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.1.0l-1~deb9u1 amd64 Secure Sockets Layer toolkit - cryptographic utility
openssl version
OpenSSL 1.1.0l 10 Sep 2019
ldd /usr/lib/openvpn/openvpn-otp.so
linux-vdso.so.1 (0x00007ffff62bd000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8afdbd3000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8afe17b000)
I saw old issue with comment - #29 (comment), but I try install different verions of openvpn server (2.4.9, 2.4.8, 2.4.7 - use repo from openvpn ) - error is the same.
I suspect that trouble with openssl, but I don't know how fix that.
@evgeny-gridasov please add versioning to this project, this important for package maintainers. When I worked on #32 I tagged current master version of 1.0, may this a good start.
Thanks.
Below is the SELinux policy I had to implement for CentOS7 which differs from what is found within the README. I was running the targeted policy.
allow openvpn_t pppd_etc_t:dir search;
allow openvpn_t pppd_etc_t:file { read getattr open };
Below also works.
$ yum install policycoreutils-python \
selinux-policy-devel
$ cat - <<EOF > openvpn_otp.te
module openvpn_otp 1.0;
require {
type openvpn_t;
type pppd_etc_t;
class dir { search getattr open };
class file { ioctl lock read getattr open };
}
#============= openvpn_t ==============
read_files_pattern(openvpn_t, pppd_etc_t, pppd_etc_t)
EOF
$ make -f /usr/share/selinux/devel/Makefile openvpn_otp.pp
$ semodule --install openvpn_otp.pp
Hi,
I tried your code on Debian 8.3 and compiled 1864afd as follows:
./autogen.sh
./configure --prefix=/usr
make
sudo make install
I have used the following libraries:
When starting openvpn it terminates with a segmentation fault:
# openvpn /etc/openvpn/default/local.conf
...
Fri Feb 5 20:16:12 2016 us=916315 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 1 2014
Fri Feb 5 20:16:12 2016 us=916357 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08 OTP-AUTH: otp_secrets=/etc/openvpn/default/otp-secrets
Segmentation fault
Openvpn has the following configuration:
plugin /usr/lib/openvpn/openvpn-otp.so otp_secrets=/etc/openvpn/otp-secrets
The otp-secrets file has:
ls -l /etc/openvpn/otp-secrets
-rwxrwxrwx 1 root root 54 Feb 5 20:29 /etc/openvpn/otp-secrets
cat /etc/openvpn/otp-secrets
bob otp totp:sha1:base32:K7BYLIU5D2V33X6S:1234:xxx *
Any idea what's wrong here?
Thanks
Stefan
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.