Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Flexible OpenVPN authentication server and vpn client configuration tools
Perl C Shell
Tag: 0.13

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
bin
c
contrib
etc
lib/Net/OpenVPN
.gitignore
.includepath
.project
LICENSE.TXT
OPENVPN_AUTHD_CHROOT_STRUCTURE.TXT
README.textile
TODO

README.textile

WHAT IS INSIDE THIS PACKAGE?

  1. OpenVPN authentication server and client (openvpn_authd.pl)
  1. OpenVPN server add-on for dynamically configuring clients from LDAP directory

COMPONENTS

OpenVPN authentication server

This package contains authentication server and client for excellent “OpenVPN”.http://www.openvpn.net
VPN userland daemon. Currently you can authenticate your openvpn client using the following authentication backends:

  • LDAP
  • Kerberos5
  • any SQL database supported by perl DBI driver
  • IMAPv4 server
  • POP3 server
  • plain file containing passwords
  • SASL library
  • PAM library
  • Radius service
  • custom certificate validation algorithm.

SYSTEM REQUIREMENTS

  • perl (authentication server is written in perl)
  • c compiler (for compiling authentication client)

You can install missing perl modules using your operating
system package manager or by running the following command:


perl -MCPAN -e 'install <module name>'

Required perl modules:

  • Log::Log4perl – for highly configurable logging
  • Log::Dispatch – Log4perl drivers
  • Net::Server – for simple and reliable network server infrastructure

Optional modules:

  • Net::LDAP – for ldap backend
  • IO::Socket::SSL – for providing secure transport for LDAP, IMAP and POP3 backends
  • DBI and corresponding DBI module – for DBI/SQL backend
  • Authen::Krb5::Simple – for Kerberos5 backend
  • Authen::SASL – for sasl bind support in LDAP backend
  • Authen::SASL::Cyrus – for SASL backend
  • Authen::PAM – for PAM backend
  • Authen::Radius – for Radius backend

Optional password validation perl modules:

These modules are used by File and DBI backends and possibly by LDAP backend
when using ‘pass_attr’ authentication method.

  • Crypt::PasswdMD5 – for validating md5 hashed crypt(3) passwords
  • Digest::MD5 – for validating md5 string hashes
  • Digest::SHA1 – for validation of sha1 string hashes
  • Crypt::SmbHash – for validation of ntlm hashes
  • Digest::Tiger – for validation of Tiger string hashes
  • Digest::Whirlpool – for validation of Whirlpool string hashes

INSTALLATION

  • Install, configure & test openvpn daemon (i guess you already did that)
  • Unpack openvpn_authd (i guess you already did that too)
  • Compile openvpn_authc

	cd "c" && make
  • Create default configuration file

	./bin/openvpn_authd.pl --default-conf > ./etc/openvpn_authd.conf
  • List supported authentication backends

	./bin/openvpn_authd.pl --list
  • Read authentication backend documentation

	./bin/openvpn_authd.pl --doc <DRIVER>
  • Adjust configuration your file

	vi ./etc/openvpn_authd.conf
  • Start server in non daemon and debug mode
    ./openvpn_authd.pl —no-daemon —debug
  • Create file with username and password

	echo "joe" > /tmp/sample_auth.txt
	echo "joes_password" >> /tmp/sample_auth.txt
  • Create & adjust openvpn_authc configuration file

	./bin/openvpn_authc --default-config > /etc/openvpn_authc.conf
	vi /etc/openvpn_authc.conf
  • Check if everything works…

	export common_name="someuser.example.org"
	export untrusted_ip="1.2.3.4"
	export untrusted_port="3456"
	export script_type="auth-user-pass-verify"

	./bin/openvpn_authc -v /tmp/sample_auth.txt
  • Doesn’t work? Check your syslog, there’s alot of debug output…
  • Works? Hooray, configure your openvpn daemon to use openvpn_authc:

	# /etc/openvpn/openvpn-server.conf
	# use external additional authentication
	# using openvpn_authd
	auth-user-pass-verify /path/to/openvpn_authd/bin/openvpn_authc via-file

Chroot install

This is ad-hoc document section explains how to chroot openvpn and openvpn_authd.

However, you don’t need to do this, or you can only chroot openvpn and not
openvpn_authd, but the best way is to chroot both of them (openvpn_authd was designed to run in chroot from scratch)

  • Create openvpn chroot directory (see OPENVPN_CHROOT_STRUCTURE.TXT)
  • Create openvpn_authd chroot structure (see OPENVPN_AUTHD_CHROOT_STRUCTURE.TXT)
  • Configure your syslogd (or even better, syslog-ng) to put listening sockets in BOTH chroots
  • Restart syslogd :)
  • Compile openvpn_authc statically

	cd c && make static
  • Reconfigure your openvpn to chroot (see samples/openvpn-server-chroot.conf)
  • Reconfigure openvpn_authd to put listening socket to openvpn chroot
    (you don’t need to do this if openvpn_authd is listening at tcp address)
  • Edit /etc/openvpn_authc.conf and set directive hostname
  • Put statically compiled openvpn_authc binary into /bin
  • Put /bin/sh file into /bin and /bin/sh linked libraries into /lib(64)

	# ldd ../bin/sh
        libtermcap.so.2 => /lib64/libtermcap.so.2 (0x00002b636bf5c000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b636c05f000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b636c163000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b636be3c000)
  • Restart openvpn and openvpn_authd && test configuration

OpenVPN client configuration

This package implements script which can be used as openvpn server
—client-connect script or can be used for periodic generation of client configuration files.

HOWTO

  • Create default configuraton file.

	./openvpnClientConnectLDAP --default-config
  • Change configuration to suit your needs
  • Run it on regular basis to create client configuration file OR set client-connect /path/to/openvpnClientConnectLDAP.pl to your openvpn server configuration file.

LICENSE

BSD license.

Copyright (c) 2006-2011, Brane F. Gracnar
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

 + Redistributions of source code must retain the above copyright notice,
  this list of conditions and the following disclaimer.

 + Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.

 + Neither the name of the Brane F. Gracnar nor the names of its contributors
   may be used to endorse or promote products derived from this software without
   specific prior written permission.


 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
 ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Something went wrong with that request. Please try again.