Page MenuHomeVyOS Platform
Create Task
Maniphest T190

two factor authentication for OpenVPN remote VPN tunnels
Needs testing, WishlistPublicFEATURE REQUEST
Actions

Description

add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.

Details

Difficulty level
Hard (possibly days)
Version
1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Alexander4791 created this task.Nov 10 2016, 6:09 AM
dmbaturin added a comment.Nov 10 2016, 8:25 AM

Hi Alex,

Do you have links to the relevant plugins, and configuration examples?
Do you also have any ideas for the CLI?

syncer added a project: VyOS 1.1.x (1.1.8).Nov 10 2016, 9:27 AM
syncer added a subscriber: VyOS 1.1.x (1.1.8).
jhendryUK added a subscriber: jhendryUK.EditedNov 10 2016, 10:24 AM

We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:

openvpn-option "auth-user-pass-verify /config/auth/auth-ldap.pl via-file"

The LDAP auth requires these packages:
libnet-ldap-perl_0.4400-1_all.deb
libconvert-asn1-perl_0.26-1_all.deb

amos.shapira added a subscriber: amos.shapira.Nov 10 2016, 11:25 AM

This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at https://foxpass.readme.io/docs/vyatta-vyos-ubiquity-vpn-clients
It would be nice to have this change possible via an option.

jhendryUK added a comment.Nov 12 2016, 12:23 PM

Here is a sanitised copy of the auth-ldap script. I never wrote it! Its just what we use :) It will need modifying to work

vyos-auth-ldap.pl1 KBDownload

fatihusta added a subscriber: fatihusta.EditedNov 14 2016, 4:44 PM

Hi
I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.

Doc
https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html

Sample test config and python script

https://gist.github.com/selvanair/b31ec6d5873e2ffc141ec680fca69254

Edit: another example

ftp://190.223.63.92/proc/self/root/usr/local/openvpn_as/doc/post_auth/pascr.py

ftp://190.223.63.92/proc/self/root/usr/local/openvpn_as/doc/post_auth/post_auth.txt

syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x (1.1.8).Dec 14 2016, 6:34 PM
syncer edited subscribers, added: VyOS 1.2 Crux; removed: jhendryUK, VyOS 1.1.x (1.1.8).
dmbaturin moved this task from Need Triage to Wishlist on the VyOS 1.2 Crux board.May 24 2018, 6:17 PM
syncer lowered the priority of this task from Normal to Wishlist.Oct 13 2018, 9:56 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM
pasik added a subscriber: pasik.Mar 8 2019, 10:20 PM
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:59 AM
erkin set Issue type to Feature (new functionality).
UnicronNL claimed this task.Sep 5 2021, 1:48 PM
UnicronNL added a subscriber: dmbaturin.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:06 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:45 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:31 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:38 PM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).Jan 10 2024, 12:58 PM
Viacheslav added subscribers: ordex, Viacheslav.

@ordex Les us know if you have some ideas
Thanks

Viacheslav changed the task status from Open to Needs testing.EditedJan 10 2024, 1:29 PM

It seems we already have mfa T3834 but it never was documented
https://github.com/vyos/vyos-1x/pull/1008

vyos@r4# set interfaces openvpn vtun0 server mfa totp 
Possible completions:
   challenge            Expect password as result of a challenge response protocol
                        (default: enable)
   digits               Number of digits to use for totp hash (default: 6)
   drift                Time drift in seconds (default: 0)
   slop                 Maximum allowed clock slop in seconds (default: 180)
   step                 Step value for totp in seconds (default: 30)

LDAP described there https://docs.vyos.io/en/sagitta/configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP.html

Viacheslav removed UnicronNL as the assignee of this task.Jan 10 2024, 1:29 PM
Viacheslav added a subscriber: UnicronNL.