OpenVPN: New policy certificate-otp for RW

[stephdl]

Most of time the password is written in a note close of the screen or the keyboard, this is a bug we could fix by a new policy to openvpn

• the user must send a login
• the user must send a certificate
• the user must install an application to give him a one time based password (valid only 30 seconds)

these three factors are needed to authenticate a system-user.

Proposed solution

we will reuse pam-oath the solution we used with cockpit and ssh

Alternative solutions

google authenticator could be fun also, we could have a 4 factors (login+password+otp+certificate)

See also

https://community.nethserver.org/t/2fa-with-openvpn/15036

[nethbot]

in 7.7.1908/testing:

• nethserver-openvpn-1.9.2-1.6.g5237938.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.7.1908/testing:

• nethserver-openvpn-1.9.2-1.7.g50cbedf.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.7.1908/testing:

• nethserver-vpn-ui-1.2.11-1.1.g0e63f96.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.7.1908/testing:

• nethserver-cockpit-1.6.3-1.2.g2fafba7.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-cockpit-lib-1.6.3-1.2.g2fafba7.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.7.1908/testing:

• nethserver-vpn-ui-1.2.11-1.3.gedeeb6c.ns7.noarch.rpm x86_64 armhfp aarch64

[stephdl]

QA

We have created a new policy "Login+Certificate+Otp", this policy once enabled force all users to fill an OTP pin instead of their password.

You have to take care that you have no warnings in logs /var/log/messages and /var/log/openvpn/openvpn.log

1. check the new policy can be enabled from Nethgui and the changes can be seen in cockpit

2. check the new policy can be enabled from cockpit and the changes can be seen in Nethgui

3. Once the policy enabled, all users are forced to use otp

• Enable the new policy
• Create a user A vpn-user
• Download the client configuration
• you must find this inside (obviously with certs and other server directives)

auth-user-pass
auth-nocache
reneg-sec 0

The reneg to 0 is needed to avoid to ask the OTP each hour
The auth-nocache say to the client to not store the otp pin and ask it each time

4. Go to the settings page of the user A and enable OTP

• you must find a checked checkbox for openvpn otp in a disabled state

5. The checkbox must not be seen if

• the vpn is stopped
• the vpn mode is not certificate-otp
• the user is disabled
• the user is not granted to vpn R2W (does not exist in the vpn DB as vpn-user)

6. Try to connect the client to the VPN with different OS

With another GH6111 we force to verify that the user A cannot use the certificate of user B, so in the configuration of your client, take care to set the good login, relevant to the CN of the certficate

• Windows
• Linux
• Android
• IOS

the principle is when you connect to the VPN, the server asks for a password, you need to fill the OTP you can read on the smartphone

For fun you can have it on the terminal of your remote server by ssh:

watch oathtool --totp $(cat /var/lib/nethserver/home/stephane/.2fa.secret)

• try good OTP
• try bad OTP

7. disable the user, try to connect

[nethbot]

in 7.7.1908/testing:

• nethserver-openvpn-1.9.2-1.9.g3f515d7.ns7.noarch.rpm x86_64 armhfp aarch64

[gsanchietti]

Postponed to NS 7.8 to minimize regressions: VPN are one of the most-used features during COVID-19 emergency.

Of course, this feature can be manually installed also in NS 7.7

[nethbot]

in 7.8.2003/testing:

• nethserver-openvpn-1.9.2-1.10.gce3de80.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/testing:

• nethserver-vpn-ui-1.2.11-1.4.gba9e41c.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/testing:

• nethserver-cockpit-1.6.3-1.3.ge1268b8.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-cockpit-lib-1.6.3-1.3.ge1268b8.ns7.noarch.rpm x86_64 armhfp aarch64

[gsanchietti]

Everything verified using a Fedora and a CentOS 7 as a client.

I'd like some more test from a Windows machine.

[gsanchietti]

Verified also with Windows.
Users must be aware to not check the "Remember password" option.

Before release, please prepare the doc.

[nethbot]

in 7.8.2003/testing:

• nethserver-openvpn-1.9.2-1.14.g1953c0a.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/testing:

• nethserver-vpn-ui-1.2.11-1.5.g978ee91.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/updates:

• nethserver-openvpn-1.10.0-1.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/updates:

• nethserver-vpn-ui-1.3.0-1.ns7.noarch.rpm x86_64 armhfp aarch64

[nethbot]

in 7.8.2003/updates:

• nethserver-cockpit-1.6.4-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-cockpit-lib-1.6.4-1.ns7.noarch.rpm x86_64 armhfp aarch64