allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

Merge pull request #208 from lhopki01/master

Browse Source 
Fix issue with connection resetting every hour when using otp.
This commit is contained in:
Kyle Manna 2017-01-26 22:42:04 -08:00 committed by GitHub
commit be165e209e
4 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/ovpn_genconfig
View File

@ -328,6 +328,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
if [ -n "${OVPN_OTP_AUTH:-}" ]; then
echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
echo "reneg-sec 0" >> "$conf"
fi
echo -e "\n### Extra Configurations Below" >> "$conf"

4
bin/ovpn_getclient
View File

@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
if [ -n "$OVPN_COMP_LZO" ]; then
echo "comp-lzo"
fi
if [ -n "$OVPN_OTP_AUTH" ]; then
echo reneg-sec 0
fi
}
dir="$OPENVPN/clients/$cn"

6
docs/otp.md
View File

@ -11,9 +11,11 @@ and use this image to generate user configuration.
In order to enable two factor authentication the following steps are required.
* Generate server configuration with `-2` option
* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2
* Generate server configuration with `-2` and `-C $CIPHER` options
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 -C $CIPHER
* Generate your client certificate (possibly without a password since you're using OTP)

6
test/tests/otp/run.sh
View File

@ -17,6 +17,9 @@ SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::'
# Configure server with two factor authentication
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
# Ensure reneg-sec 0 in server config when two factor is enabled
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG cat /etc/openvpn/openvpn.conf | grep 'reneg-sec 0' || abort 'reneg-sec not set to 0 in server config'
# nopass is insecure
docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
@ -40,6 +43,9 @@ echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
# Override the auth-user-pass directive to use a credentials file
docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
# Ensure reneg-sec 0 in client config when two factor is enabled
grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in client config'
#
# Fire up the server
#