Enabling two-factor authentication on OpenVPN with VyOS


#1

I currently have an OpenVPN configuration on my VyOS router (config below). It’s using certificate-based authentication, which I insist on continuing to use. I’d like to enable 2FA (two-factor authentication) using TOTP (time-based one time password algorithm), such as Google Authenticator (but not limited to GA—any app that supports the TOTP standard would work). I recently enabled TOTP 2FA for certain SSH-accessible servers not protected by my VPN, and it works great.

I found a tutorial for 2FA with OpenVPN (http://joepaetzel.com/2014/05/20/enable-multi-factor-authentication-for-openvpn/), but it’s a standalone install, not within VyOS. So, my questions:

  • Is there any built-in support for using OpenVPN’s 2FA features?
  • If there is no built-in support and I install software (some of which I may need to compile on the VyOS machine) to support it, how is my install and config going to be affected by reboots and upgrades?
  • Are there any other recommendations and/or guidelines I should follow?

interfaces { bridge br0 { address 172.16.122.1/24 aging 300 hello-time 2 max-age 20 priority 0 stp false } ethernet eth0 { *** public facing interface omitted for security reasons *** } ethernet eth1 { bridge-group { bridge br0 } duplex auto hw-id 00:14:d1:20:0d:e8 smp_affinity auto speed auto } ethernet eth2 { address 192.168.122.254/24 duplex auto hw-id 00:14:d1:20:0c:6c smp_affinity auto speed auto } openvpn vtun0 { bridge-group { bridge br0 } mode server openvpn-option "--comp-lzo --push route-delay 10 --push route 192.168.122.0 255.255.255.0 172.16.122.1 --push dhcp-option DOMAIN nickhq.com" server { name-server 172.16.122.1 subnet 172.16.122.0/24 topology subnet } tls { ca-cert-file /config/auth/openvpn/keys/ca.crt cert-file /config/auth/openvpn/keys/server.crt dh-file /config/auth/openvpn/keys/dh1024.pem key-file /config/auth/openvpn/keys/server.key } } }


#2

You read my mind - I fiddled with having LDAP + cert auth, but that’s a poor substitute for TOTP/HOTP, etc.

Historically the only “turnkey” 2-factor OpenVPN setup was with their commercial release, which ends up involving a seat license. That’s all good and well, but it doesn’t help community folks.

I’m guessing it’s possible, since it’s just Debian under the hood and should be able to take openvpn modules. What would really be nice is to be able to integrate it with the vyos configuration syntax.

I see RADIUS on the list, but maybe 2-factor will eventually work its way in:

http://vyos.net/wiki/Proposed_enhancements


#3

Update - I got it to work with Duo (www.duosecurity.com) Push. Not half bad, though there’s some concern in that the older OpenVPN on the appliance is older and doesn’t support reneg-sec 0.

It also requires compiling the duo auth module, so I’d suggest making a burner VyOS to install the compiler and do it in, since this is a Terrible Idea otherwise :slight_smile:


#4

Very nice - I recently go onboard with Duo and was most impressed with how polished their soft-2FA solution is, and the documentation for many different systems they support. Good to hear you got it working with VyOS - it would be nice to support out of the box with the CLI support in VyOS to make it run. Could you document what you did to get it working in further detail?


#5

Certainly! I’ll abbreviate a bit since I had the help of two wonderful tutorials. First things first, get a basic certificate-based openvpn setup going on your VyOS box:

http://jasonschaefer.com/openvpn-on-vyos/

That should get you running with single-factor authentication.

Next, you’ll want to start up a Duo Security Integration. Duo Security is a nice 2-factor product that allows you to authenticate via push to a phone, SMS, or rotating codes. It’s free for up to 10 users, so perfect for a home or small workgroup.

A Duo Integration is basically an instance that uses Duo’s second factor auth, such as SSH, VPN, etc. You’ll modify the configuration to call out to Duo’s servers for authentication - don’t worry, it’s just an extra configuration line (I’ll get to that in a sec). First, here’s the Duo Integration instructions for OpenVPN:

A couple of caveats regarding their instructions:

  1. You will have to compile their plugin on a VyOS box. Since I’m guessing nobody wants to install a C compiler on their VyOS instance (and Bad Things Happen when you apt-get upgrade), I suggest standing up a VM with VyOS to compile, copying out the .so file (and scripts) it creates, and moving them to your production VyOS instance. I would post the .so and scripts myself, but I’m pretty sure that’s a copyright no-no (plus you’ll want the latest version).

  2. Where it says you “don’t have to enter anything for username”, ignore them. You DO, but it doesn’t matter. So you could log in as user test, password push or user bobthesillysnail, password push, it doesn’t matter. All you want is for it to send a push request for authentication. (or you can enter a code, or “sms” etc).

  3. Do not, DO NOT forget to set reneg-sec to a large value server-side. The version of openvpn on VyOS is a bit older, so it doesn’t understand setting it to “0”.


Ok, with those out of the way, you should have a basic OpenVPN install and a freshly compiled Duo .so file with scripts. Here are the config changes you need:

set interfaces openvpn vtun0 openvpn-option '--script-security 2' set interfaces openvpn vtun0 openvpn-option '--reneg-sec 36000' set interfaces openvpn vtun0 openvpn-option '--plugin /opt/duo/duo_openvpn.so <duo ID> <duo key> some-api-alias.duosecurity.com' set interfaces openvpn vtun0 openvpn-option 'comp-lzo'

-I chose 36000 seconds, about 10 hours, for timeout.
-You can probably set more. The duo ID/key/api-alias come from your own account’s duo integration.
-I set comp-lzo. Whatever you do, make sure you set it the same on both client and server.
-If you’re having weird crypto problems, try manually specifying it:

set interfaces openvpn vtun0 encryption 'aes128'

Client:

Make sure this is either 0 or a large value (newer versions of openVPN should be able to handle 0).

It should work from here! The only things that generally trip me up are making sure the connection MTU, encryption settings, and lzo compression settings match.

Once you have it running, you have your very own 2-factor VPN! You could probably also do this for Yubikey as well, or any number of Multi-factor plugins, provided they compile with Squeeze.


#6

Can you please share how you made it working with LDAP?
I’m struggling in make it working, I’d greatly appreciate your replay.


#7