Skip to content

Instantly share code, notes, and snippets.

@rechner

rechner/freeipa-openvpn.md

Last active May 7, 2024 18:27
Show Gist options
  • Save rechner/c6b9133b7816445b5850f8e22e16aa60 to your computer and use it in GitHub Desktop.
Save rechner/c6b9133b7816445b5850f8e22e16aa60 to your computer and use it in GitHub Desktop.
Download ZIP
FreeIPA setup for OpenVPN logins
Raw
freeipa-openvpn.md

This article proved to be a decent starting point, but I was particularly interested in allowing password-based logins to OpenVPN using a username/password backed by FreeIPA (opposed to client certificates) as the identity provider.

  • IPA join your VPN machine: ipa-client-install --mkhomedir
  • Get a kerberos ticket: kinit
  • Create a Kerberos service principle and HBAC rule for openvpn access:
ipa service-add openvpn/`hostname`
  • Create new hbacrule in console, mark host as the VPN host, and whatever group you want to restrict access to:
rechner@production:~$ ipa hbacrule-show allow_openvpn
Rule name: allow_openvpn
Description: Allowed access to VPN access on vpn.example.net
Enabled: TRUE
User Groups: vpn, admins
Hosts: vpn.example.net
Services: openvpn
  • Make this script + make executable in /usr/local/sbin/set-ssl-permissions:
#!/bin/bash
chmod 400 /etc/openvpn/server_freeipa.crt 
chmod 400 /etc/openvpn/server_freeipa.key
  • Request a server certificate from IPA CA:
sudo ipa-getcert request -K openvpn/`hostname` -k /etc/openvpn/server_freeipa.key -f /etc/openvpn/server_freeipa.crt -I openvpn -C /usr/local/sbin/set-ssl-permissions
  • Check that worked with sudo ipa-getcert list.
  • Create PAM configuration, /etc/pam.d/openvpn:
@include common-auth
@include common-account
@include common-session
  • Configure /etc/openvpn/server.conf apropriately. Here's the key configuration values:
ca /etc/ipa/ca.crt
cert server_freeipa.crt
key server_freeipa.key

client-cert-not-required
username-as-common-name
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
  • Restart OpenVPN and test. For more verbose logging or troubleshooting, set verb 7 in server.conf
@tin6150
Copy link

tin6150 commented Feb 12, 2022

thx for posting this, it helped me :D

@totkapf
Copy link

totkapf commented Jan 20, 2023
edited
Loading

Thanks a lot.
I've stucked at
@include common-auth
@include common-account
@include common-session
It's rathe weird.

So if I make /etc/pam.d/openvpn with
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Than can login in only with passwod but OTP isn't working.

@rrotondo
Copy link

Any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment