OpenVPN - Different Configuration Question

    • OMV 1.0
    • OpenVPN - Different Configuration Question

      Hello there,

      at the moment I'm using OpenVPN AS. But there is the restriction of 2 users (I hope I understand this right). But now I want to use mor than 2 users. So I set up OpenVPN, it works very well.
      But now I have the following question: Is it possible to configure OpenVPN in that way, that it prompts for a password on user login, like OpenVPN AS does it?

      Thanks
    • Yes, you can.

      You must put into client config file

      Source Code

      1. # Uncomment to have the VPN client prompt for
      2. # a password. If authentication was not enabled
      3. # at the time this configuration file was
      4. # generated, this setting will be commented out
      5. auth-user-pass

      and into the server config file

      Source Code

      1. option auth_user_pass_verify '/etc/openvpn/pass.sh via-env'

      Into my vpn server the pass.sh is like

      Shell-Script

      1. #!/bin/sh
      2. user1="user1"
      3. pass1="PasswordOfUser1"
      4. user2="user2"
      5. pass2="PasswordOfUser2"
      6. ..................
      7. ..................
      8. test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
      9. test "$user2" = "${username}" && test "$pass2" = "${password}" && exit 0
      10. ..................
      11. ..................
      12. exit 1
      Display All


      I must to say that my OpenVPN server run under my OpenWrt Barrier Breaker 14.07-rc2 TP-Link TL-WR1043N/ND v2 router but it is Debian-like. All can be ligthly different X(

      The post was edited 4 times, last by ppfdez ().

    • But openvpn comes with a PAM, maybe it can work against the omv user list.

      Pretty sure I did some testing with this last year with this

      Edit:

      In the extra options

      Source Code

      1. plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login
      2. tmp-dir "/etc/openvpn/tmp/"


      The ovpn pam is located at /usr/lib/openvpn/openvpn-auth-pam.so so you need to copy to the openvpn folder
      Also you need to make the temp dir and set it to 777

      This config is on top of cert/key, so you still need them.

      The reference comes from here slsmk.com/openvpn-with-id-and-password-authentication/

      Just did some fast testing, and it works
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 3 times, last by subzero79 ().

    • Awsome information subzero79!

      I banged my head last night trying to make a script which check username/password with pwauth until I found out that only www-data (or root) is allowed to run pwauth (which is hard-coded into pwauth). Since I did not want to re-compile pwauth, I gave up.

      The plugin method is so much easier. In the end, to sum up, the server only need the following in the Extra field:

      Source Code

      1. plugin /usr/lib/openvpn/openvpn-auth-pam.so login

      (I think it also makes it more secure since nothing is written on disk, even temporarily)

      And on client side, the following needs to be added to the config file:

      Source Code

      1. auth-user-pass
    • Thanks to all people for the hints! It works fine now.
      A checkbox I also would appreciate.
      If you change something on the Plugin, I have to other things that could be changed (which are not urgent):
      1. Add an option to route traffic from VPN to LAN (push route in openvpn, allow ip4forward in sysctl,...)
      2. If I enter a Common Name with space for the cert, my Android OpenVPN client couldn't load profile. If there is an easy way, it would be nice to forbid spaces, or all special chars.


      Btw: Where could I like a post? I only see a "dislike" Button
    • Ok, the first thing doesn't work for me. The default gateway was activated, but I only could reach the VPN Server itself, no other clients and so on.
      To reach from the VPN the LAN, I have to add to the vpn server config

      Source Code

      1. push "route ip netmask"
      , activate the ip4 forwarding in sysctl and in my router I have to add a static route (OK, this part couldn't be done by the plugin, but a hint or so would be nice).

      Btw: This seems to be like another problem only I have :) I only see ther quote, report, dislike, go to top.
    • If Default Gateway option is checked, all network traffic of the client (including internet) will be routed to the VPN Server, via the following parameter in the config file:

      Source Code

      1. push "redirect-gateway def1 bypass-dhcp"

      If Default Gateway option is not checked, a route to the private network (i.e. your LAN where you NAS is located, in most cases something like 192.168.1.0/24), is pushed to the client. In this case, only the traffic to that specific network is routed to the VPN Server, the remaining traffic is routed to the default gateway of the client. This is done via the following parameter in the config file:

      Source Code

      1. push "route 192.168.1.0 255.255.255.0"

      These are mutually exclusive, but in any cases traffic from client to private LAN should be routed to the VPN server. And btw, whichever option you choose, the ip forwarding is enabled in sysctl.

      After looking into this, it may be because the iptables NAT rules are not applied on startup (I saw an error in openvpn mkconf script). If you start-up your NAS, the iptables rules will not be applied until you do and apply a configuration modification to the openvpn plugin via webgui.
      Thanks to you, that's one more to the bugfix list :D
    • My actual vpn sits on top of my home router (openwrt). It acts by default as traffic forward (def1), but in my clients I have two separate configs. The default one connects and tunnels all internet traffic, the second one annuls the def1 directive so I can only access the remote LAN resources.

      My second config (annul def1) uses the following directives after the usual

      Source Code

      1. route-nopull
      2. redirect-gateway def1
      3. route 0.0.0.0 192.0.0.0 net_gateway
      4. route 64.0.0.0 192.0.0.0 net_gateway
      5. route 128.0.0.0 192.0.0.0 net_gateway
      6. route 192.0.0.0 192.0.0.0 net_gateway
      7. route 10.10.10.0 255.255.255.0
      8. route 172.22.0.0 255.255.255.0


      Those are take from the openvpn doc website. So i was thinking as an improvement to add a checkbox to the certificate items to config the bundle as this (no redirect traffic and only available if the in the general redirect gateway is checked)

      Another improvement has to do with the bundle file (zip with certs, keys and conf), just to use a single config file (.ovpn extension) with the embedded certificates and keys like this:

      The text has been trimmed, for obvious reasons

      Source Code

      1. client
      2. dev tun
      3. proto udp
      4. remote remote 1194
      5. resolv-retry infinite
      6. nobind
      7. persist-key
      8. bla bla bla
      9. <ca>
      10. -----BEGIN CERTIFICATE-----
      11. J56hgvfr43543645yujmdhjdgiaXoxFjAUBgNVBCkTDVJpY2FyZG8gQnJpdG8xHzAdBgkqhkiG
      12. 9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQCraPrGJDLG/zAMBgNVHRMEBTADAQH/
      13. MA0GCSqGSIb3DQEBBQUAA4GBAGiWyWRql6/CBf8WZObsTfEby2OoXHWCTY7rwtXr
      14. -----END CERTIFICATE-----
      15. </ca>
      16. <cert>
      17. -----BEGIN CERTIFICATE-----
      18. MIMDdaMIGYMQswCQYDVQQGEwJDTDEL
      19. MAkGA1UECBMCUk0xETAPBgNVBAcTCFNhbnRpYWdvMQswCQYDVQQKEwJSQjELMAkG
      20. A1UECxMCU0IlL3ghdgfjetyue657356y5
      21. 6aomXoAT/2HUFFBfOc0LgIvJugi2UwGLmmuD9KZikWA2M274bb45MQBW+gV+xm/Y
      22. R3i4nW21QMBIJRT3suvpAO+fN4wT
      23. -----END CERTIFICATE-----
      24. </cert>
      25. <key>
      26. -----BEGIN RSA PRIVATE KEY-----
      27. 6KfgamaevtU4pPgNxR0TkExP0/BxArK/lWAJE4IAzrZXiSkCQQD6V8Nue6D/UIG9
      28. 03A9j9qVzYsHz3Fmk
      29. -----END RSA PRIVATE KEY-----
      30. </key>
      Display All


      In some clients just a double click will install it.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • subzero79 wrote:

      Those are take from the openvpn doc website. So i was thinking as an improvement to add a checkbox to the certificate items to config the bundle as this (no redirect traffic and only available if the in the general redirect gateway is checked)

      That seems pretty confusing. I'm not sure that I exactly get what you want. If the purpose is to make different client configuration that coexist with each others, I think having an extra field which can be freely populated for each certificate entry is preferable. This way it would be less confusing for the end-user: one unique configuration/behaviour for each clients, and the possibility for 'power-users' to customize/tune a specific client. This evolution doesn't look easy from my bad developer skill point of view.

      subzero79 wrote:


      Another improvement has to do with the bundle file (zip with certs, keys and conf), just to use a single config file (.ovpn extension) with the embedded certificates and keys like this:
      [...]
      In some clients just a double click will install it.

      May be another time ;) . From a quick look perspective, it would require quite some changes.

      On a side note, I just submitted a pull requested with the following changes:

      * Fixed cannot input domain in 'DNS search domain' field
      * Fixed cannot input multiple entries separated with commas
      * Fixed log entries missing for date from 1 to 9
      * Restricted 'Common Name' field in certificate tab to alphanum
      * Fixed iptables rule not added upon boot/reboot
      * Refined iptables to remove previous rule before adding new rule
      * Added 'PAM authentication' checkbox

      We'll need to wait for the pull request to be reviewed and accepted, then wait for the plugin to be released.
    • Yes is a little bit confusing. Maybe leave the way it is. I was imaging some people coming after the plugin an asking to launch another instance for traffic redirecting only. When the same can be achieved with one instance.
      The second item take it from the point of view of someone who doesn't know anything about openvpn, I remember the first time I saw the certs and keys I didn't understand anything.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 1 time, last by subzero79 ().

    • Pollux wrote:

      We'll need to wait for the pull request to be reviewed and accepted, then wait for the plugin to be released.


      I think it needs a quick fix, the mkconf is pointing to a net rule in the wrong folder. The deb openvpn package installs to /etc/network/if-up.d/, so the installer should copy the files or copy them at enable.

      [Blocked Image: http://i.imgur.com/8jiPhQs.png]

      edit: in the meantime just copy the file to the folder

      and also this problem came, I think is the delete chain rule.
      [Blocked Image: http://i.imgur.com/11U4crb.png]
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 1 time, last by subzero79 ().

    • subzero79 wrote:


      I think it needs a quick fix, the mkconf is pointing to a net rule in the wrong folder. The deb openvpn package installs to /etc/network/if-up.d/, so the installer should copy the files or copy them at enable.

      No, we create that file ourselves when the initial setup is run. Which is also the cause of the issue.

      Pollux wrote:

      I just updated the plugin on my test vm and didn't run into any issue.

      On what occasion did you get the error, upon plugin installation?

      Since we create that file, the issue is that the first time we run the setup that file doesn't exist, which in turn means that you're trying to run tail on a non existing file. Why do we need to delete the last rule in that file (which is what you're doing from my understanding)? I don't know since you added it :)
    • Ok I reproduced the issue. It indeed happens on initial setup because the file is not created.

      For the story, I added that line to delete the previous iptables nat rule because everytime a change is made (and saved), the nat rule was added, whether or not you change the VPN subnet. For instance, if you do 10 configuration changes, you will end up with 10 iptables line in the nat table (and it could be the same that appears 10 times if you did not change the VPN subnet).

      As a quick fix, in the /usr/share/openmediavault/mkconf/openvpn replace the following line:

      Source Code

      1. iptables -t nat -D $(tail -1 ${SERVICE_IPTABLES_CONF} | cut -c20-)


      By this:

      Source Code

      1. if [ -f ${SERVICE_IPTABLES_CONF} ]; then
      2. iptables -t nat -D $(tail -1 ${SERVICE_IPTABLES_CONF} | cut -c20-)
      3. fi


      This should check first if the file exists before running the deletion of the iptables rule. You can also remove/comment that line and you will have the same behavior as before (i.e. iptables rule added everytime a configuration change is made to openvpn).