Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue with connection resetting every hour when using otp. #208

Merged
merged 5 commits into from
Jan 27, 2017
Merged

Fix issue with connection resetting every hour when using otp. #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3ebc490
automatically add reneg-sec 0 to client and server configs when otp i…
Jan 24, 2017
fbdc8e3
remove debugging extra
Jan 24, 2017
a20c638
modify command in documentation too
Jan 24, 2017
c9ada1e
reneg-sec needs to be set to 0 when using otp because otherwise the c…
Jan 25, 2017
ef82213
change test to bring in line with others
Jan 26, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions bin/ovpn_genconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
if [ -n "${OVPN_OTP_AUTH:-}" ]; then
echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
echo "reneg-sec 0" >> "$conf"
fi

echo -e "\n### Extra Configurations Below" >> "$conf"
Expand Down
4 changes: 4 additions & 0 deletions bin/ovpn_getclient
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
if [ -n "$OVPN_COMP_LZO" ]; then
echo "comp-lzo"
fi

if [ -n "$OVPN_OTP_AUTH" ]; then
echo reneg-sec 0
fi
}

dir="$OPENVPN/clients/$cn"
Expand Down
6 changes: 4 additions & 2 deletions docs/otp.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,11 @@ and use this image to generate user configuration.

In order to enable two factor authentication the following steps are required.

* Generate server configuration with `-2` option
* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should really say that if your client is broken or outdated, and fails to negotiate a more reasonable cipher, only then should override it. Many modern OpenVPN clients work just fine.


docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2
* Generate server configuration with `-2` and `-C $CIPHER` options

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER

* Generate your client certificate (possibly without a password since you're using OTP)

Expand Down
6 changes: 6 additions & 0 deletions test/tests/otp/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::'
# Configure server with two factor authentication
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2

# Ensure reneg-sec 0 in server config when two factor is enabled
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config'

# nopass is insecure
docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass

Expand All @@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
# Override the auth-user-pass directive to use a credentials file
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn

# Ensure reneg-sec 0 in client config when two factor is enabled
grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config'

#
# Fire up the server
#
Expand Down