allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

Merge pull request #208 from lhopki01/master

Browse Source 
Fix issue with connection resetting every hour when using otp.
This commit is contained in:
Kyle Manna 2017-01-26 22:42:04 -08:00 committed by GitHub
commit be165e209e
4 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/ovpn_genconfig
View File

@ -328,6 +328,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
if [ -n "${OVPN_OTP_AUTH:-}" ]; then if [ -n "${OVPN_OTP_AUTH:-}" ]; then
echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf" echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf" echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
echo "reneg-sec 0" >> "$conf"
fi fi
echo -e "\n### Extra Configurations Below" >> "$conf" echo -e "\n### Extra Configurations Below" >> "$conf"

4
bin/ovpn_getclient
View File

@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
if [ -n "$OVPN_COMP_LZO" ]; then if [ -n "$OVPN_COMP_LZO" ]; then
echo "comp-lzo" echo "comp-lzo"
fi fi
if [ -n "$OVPN_OTP_AUTH" ]; then
echo reneg-sec 0
fi
} }
dir="$OPENVPN/clients/$cn" dir="$OPENVPN/clients/$cn"

6
docs/otp.md
View File

@ -11,9 +11,11 @@ and use this image to generate user configuration.
In order to enable two factor authentication the following steps are required. In order to enable two factor authentication the following steps are required.
* Generate server configuration with `-2` option * Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 * Generate server configuration with `-2` and `-C $CIPHER` options
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER
* Generate your client certificate (possibly without a password since you're using OTP) * Generate your client certificate (possibly without a password since you're using OTP)

6
test/tests/otp/run.sh
View File

@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::'
# Configure server with two factor authentication # Configure server with two factor authentication
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
# Ensure reneg-sec 0 in server config when two factor is enabled
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config'
# nopass is insecure # nopass is insecure
docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
# Override the auth-user-pass directive to use a credentials file # Override the auth-user-pass directive to use a credentials file
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
# Ensure reneg-sec 0 in client config when two factor is enabled
grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config'
# #
# Fire up the server # Fire up the server
# #