Merge pull request #208 from lhopki01/master
Fix issue with connection resetting every hour when using otp.
This commit is contained in:
commit
be165e209e
@ -328,6 +328,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
|
|||||||
if [ -n "${OVPN_OTP_AUTH:-}" ]; then
|
if [ -n "${OVPN_OTP_AUTH:-}" ]; then
|
||||||
echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
|
echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
|
||||||
echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
|
echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
|
||||||
|
echo "reneg-sec 0" >> "$conf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo -e "\n### Extra Configurations Below" >> "$conf"
|
echo -e "\n### Extra Configurations Below" >> "$conf"
|
||||||
|
@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
|
|||||||
if [ -n "$OVPN_COMP_LZO" ]; then
|
if [ -n "$OVPN_COMP_LZO" ]; then
|
||||||
echo "comp-lzo"
|
echo "comp-lzo"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -n "$OVPN_OTP_AUTH" ]; then
|
||||||
|
echo reneg-sec 0
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
dir="$OPENVPN/clients/$cn"
|
dir="$OPENVPN/clients/$cn"
|
||||||
|
@ -11,9 +11,11 @@ and use this image to generate user configuration.
|
|||||||
|
|
||||||
In order to enable two factor authentication the following steps are required.
|
In order to enable two factor authentication the following steps are required.
|
||||||
|
|
||||||
* Generate server configuration with `-2` option
|
* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
|
||||||
|
|
||||||
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2
|
* Generate server configuration with `-2` and `-C $CIPHER` options
|
||||||
|
|
||||||
|
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER
|
||||||
|
|
||||||
* Generate your client certificate (possibly without a password since you're using OTP)
|
* Generate your client certificate (possibly without a password since you're using OTP)
|
||||||
|
|
||||||
|
@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::'
|
|||||||
# Configure server with two factor authentication
|
# Configure server with two factor authentication
|
||||||
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
|
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
|
||||||
|
|
||||||
|
# Ensure reneg-sec 0 in server config when two factor is enabled
|
||||||
|
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config'
|
||||||
|
|
||||||
# nopass is insecure
|
# nopass is insecure
|
||||||
docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
|
docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
|
||||||
|
|
||||||
@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
|
|||||||
# Override the auth-user-pass directive to use a credentials file
|
# Override the auth-user-pass directive to use a credentials file
|
||||||
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
|
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
|
||||||
|
|
||||||
|
# Ensure reneg-sec 0 in client config when two factor is enabled
|
||||||
|
grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config'
|
||||||
|
|
||||||
#
|
#
|
||||||
# Fire up the server
|
# Fire up the server
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user