OpenVPN: group-based local authentication #1748
Comments
|
Hi Dirk, I saw your post on the forum. I think there may be a misconception on how this is supposed to work, but I am not an OpenVPN expert. I'm sure you can pin down certificates to specific users and/or limit access, but in general the password and certificates are not "linked" to a user, it's simply a two-stage approach to authentication. Cheers, |
|
You probably want "Strict User/CN Matching" to be set in the server settings. |
|
Thank You Franco, I think that this Option should be Set as default. |
|
Hi Dirk, There is no fundamental flaw in this: it's strictly user auth + cert auth how they both work individually. There shouldn't be another expectation. Users may have this set up in many ways, maybe even share user accounts for login, or the certificate. Traditionally, one doesn't set a local authentication in tandem with cert auth, but rather an LDAP or so which does not let you log in using an additional OPNsense account. There used to be a way to be able to allow OpenVPN login per user as a permission. Brining that back would be a more flexible approach to coupling local auth with VPN? To be able to make this the default, the certificate generation process needs to be a very certain way, meaning you can't share the same certificate between users. Since we don't have this particular control over the generation process, it's better to leave this as an additional security measure. Setting this as default will thus likely be the source of future support cases for little additional integrity. But there are options (available and possible to add to OPNsense) to make this more desirable in your setup. What do you think? Cheers, |
|
PS: I think we've switched individual user privileges for a "group" selection in the captive portal. We should do the same for IPsec and OpenVPN. |
While there, strip a bit of legacy cruft.
|
Added untested local group enforcement to OpenVPN server via ee0c170 -- @AdSchellevis would you mind testing, I don't have a setup at hand in the next days. |
o group_source was removed as it was unused o stop passing global authcfg through the ipsec config--wtf? o if the mobile client section is disable, refuse authentication o make xauth privilege optional, it will go away in 18.1
|
Hi Franco. cheers |
|
Hi Dirk, IPsec was tested, OpenVPN wasn't (issue still open). There should be a hint in the logs why this isn't working? Cheers, |
|
Hi Franco.
Cheers |
|
Dirk, thank you, here is the issue: It passes "server1" to the script, but the script expects only "1". I'll have a fix in a second. :) |
fichtner
changed the title
|
This should do the trick... |
|
Hi Franco, Or should i execute the latest patch only? Cheers |
|
Just the latter. The patch apply is permanent. |
|
unless you removed the other patch again ;) |
|
Hi Fraco, Patching file etc/inc/plugins.inc.d/openvpn/auth-user.php using Plan A... It's an OPNsende 17.1.11 (32 Bit Nano) Cheers |
|
Yes, in that case you need both patches. I'm not sure if the other one applies cleanly on 17.1.11, but should given your previous test. |
|
Hi Franco, Now it's working as expected. Cheers |
|
Hi Dirk, Thank you for testing. :) I don't know if this will be in 17.7.1 already. But since you are on 17.1.x there are no updates which would remove the patches from your systems in the meantime. Cheers, |
|
Going into 17.7.1. IPsec will receive a similar feature, but later. :) |
|
Whoops, I meant 17.7.1 of course. |
I use an OpenVPN Server with "Remote Access (SSL/TLS + User Auth)" method on my OPNsense 17.1.11 (x86, Nano).
I have 3 user accounts into my OPNsense (User_1, User_2 and root). Only User_1 have an user certificate.
Now i coincidentally tested the VPN connection with User_2 an also with the root user. Both users can also made a VPN connection to OPNsense without having an own user certificate. The VPN connection also works with the user certificate of User_1 and the username/password of User_2 or username/password of root!
best regards
Dirk
The text was updated successfully, but these errors were encountered: