Skip to content

Instantly share code, notes, and snippets.

@rechner
Last active May 7, 2024 18:27
Show Gist options
  • Save rechner/c6b9133b7816445b5850f8e22e16aa60 to your computer and use it in GitHub Desktop.
Save rechner/c6b9133b7816445b5850f8e22e16aa60 to your computer and use it in GitHub Desktop.
FreeIPA setup for OpenVPN logins

This article proved to be a decent starting point, but I was particularly interested in allowing password-based logins to OpenVPN using a username/password backed by FreeIPA (opposed to client certificates) as the identity provider.

  • IPA join your VPN machine: ipa-client-install --mkhomedir
  • Get a kerberos ticket: kinit
  • Create a Kerberos service principle and HBAC rule for openvpn access:
ipa service-add openvpn/`hostname`
  • Create new hbacrule in console, mark host as the VPN host, and whatever group you want to restrict access to:
rechner@production:~$ ipa hbacrule-show allow_openvpn
Rule name: allow_openvpn
Description: Allowed access to VPN access on vpn.example.net
Enabled: TRUE
User Groups: vpn, admins
Hosts: vpn.example.net
Services: openvpn
  • Make this script + make executable in /usr/local/sbin/set-ssl-permissions:
#!/bin/bash
chmod 400 /etc/openvpn/server_freeipa.crt 
chmod 400 /etc/openvpn/server_freeipa.key
  • Request a server certificate from IPA CA:
sudo ipa-getcert request -K openvpn/`hostname` -k /etc/openvpn/server_freeipa.key -f /etc/openvpn/server_freeipa.crt -I openvpn -C /usr/local/sbin/set-ssl-permissions
  • Check that worked with sudo ipa-getcert list.
  • Create PAM configuration, /etc/pam.d/openvpn:
@include common-auth
@include common-account
@include common-session
  • Configure /etc/openvpn/server.conf apropriately. Here's the key configuration values:
ca /etc/ipa/ca.crt
cert server_freeipa.crt
key server_freeipa.key

client-cert-not-required
username-as-common-name
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
  • Restart OpenVPN and test. For more verbose logging or troubleshooting, set verb 7 in server.conf
@rrotondo
Copy link

Any update on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment