Reply
New Member
Posts: 9
Registered: ‎11-16-2016

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Ok I've gone through the steps in this setup and ran across a few issues

When I tried to create the second UDP interface it reported that 1194 was already in use and wouldnt let me commit

 

Spoiler

 

Nov 15 20:56:20 ubnt openvpn[17999]: Diffie-Hellman initialized with 2048 bit key
Nov 15 20:56:20 ubnt openvpn[17999]: Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Nov 15 20:56:20 ubnt openvpn[17999]: Control Channel Authentication: using '/config/auth/openvpn/keys/ta.key' as a OpenVPN static key file
Nov 15 20:56:20 ubnt openvpn[17999]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 20:56:20 ubnt openvpn[17999]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 20:56:20 ubnt openvpn[17999]: Socket Buffers: R=[294912->131072] S=[294912->131072]
Nov 15 20:56:20 ubnt openvpn[17999]: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.2.1:1194: Address already in use
Nov 15 20:56:20 ubnt openvpn[17999]: Exiting due to fatal error

 

I changed the UDP port to a different number and that seemed to work fine.  I am still having an issue connected through vpn though.  I think it may be my firewall settings, but here is the log i get from Viscosity:

 

Spoiler

 

Nov 15 22:56:13: Viscosity Mac 1.6.7b4 (1362)
Nov 15 22:56:13: Viscosity OpenVPN Engine Started
Nov 15 22:56:13: Running on Mac OS X 10.12.1
Nov 15 22:56:13: ---------
Nov 15 22:56:13: Checking reachability status of connection...
Nov 15 22:56:13: Connection is reachable. Starting connection attempt.
Nov 15 22:56:14: OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 27 2016
Nov 15 22:56:14: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Nov 15 22:56:31: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 15 22:56:31: Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Nov 15 22:56:31: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.UTEQkL/ta.key' as a OpenVPN static key file
Nov 15 22:56:31: Attempting to establish TCP connection with [AF_INET]X.X.X.X:443 [nonblock]
Nov 15 22:56:31: TCP: connect to [AF_INET]X.X.X.X:443 failed, will try again in 5 seconds: Can't assign requested address

 

Finally here are my firewall and port settings.  Maybe someone can spot the error?

 

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name allow-all-6 {
        default-action accept
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
    }
    ipv6-name allow-est-drop-inv-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
    }
    ipv6-name lan-local-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
        rule 200 {
            action accept
            description "Allow HTTP/HTTPS"
            destination {
                port 80,443,8443
            }
            protocol tcp
        }
        rule 600 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 700 {
            action accept
            description "Allow DHCP"
            destination {
                port 67,68
            }
            protocol udp
        }
        rule 800 {
            action accept
            description "Allow SSH"
            destination {
                port 22
            }
            protocol tcp
        }
    }
    ipv6-name wan-local-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            description "Allow OpenVPN connections"
            destination {
                port 443
            }
            protocol tcp_udp
        }
        rule 100 {
            action accept
            protocol ipv6-icmp
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name allow-all {
        default-action accept
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name allow-est-drop-inv {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name lan-local {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            protocol icmp
        }
        rule 200 {
            action accept
            description "Allow HTTP/HTTPS"
            destination {
                port 80,443,8443
            }
            protocol tcp
        }
        rule 600 {
            action accept
            description "Allow DNS"
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 700 {
            action accept
            description "Allow DHCP"
            destination {
                port 67,68
            }
            protocol udp
        }
        rule 800 {
            action accept
            description "Allow SSH"
            destination {
                port 22
            }
            protocol tcp
        }
    }
    name wan-local {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 5 {
            action accept
            description "Allow OpenVPN"
            destination {
                port 1215
            }
            log disable
            protocol tcp_udp
        }
        rule 10 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.3.1/24
        description "Local 2"
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-port 1215
        mode server
        openvpn-option --tls-server
        openvpn-option --comp-lzo
        openvpn-option "--user nobody --group nogroup"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option "--verb 3"
        openvpn-option --client-to-client
        openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun0-ipp.txt"
        openvpn-option "--push redirect-gateway def1"
        openvpn-option "--push dhcp-option DNS 192.168.2.1"
        openvpn-option "--push route 192.168.2.0 255.255.255.0"
        openvpn-option "--tls-auth /config/auth/openvpn/keys/ta.key 0"
        server {
            subnet 10.7.91.0/24
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ca.crt
            cert-file /config/auth/openvpn/keys/server.crt
            dh-file /config/auth/openvpn/keys/dh2048.pem
            key-file /config/auth/openvpn/keys/server.key
        }
    }
    openvpn vtun1 {
        local-host 192.168.2.1
        local-port 1215
        mode server
        openvpn-option --tls-server
        openvpn-option --comp-lzo
        openvpn-option "--user nobody --group nogroup"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option "--verb 3"
        openvpn-option --client-to-client
        openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun1_ipp.txt"
        openvpn-option "--push redirect-gateway def1"
        openvpn-option "--push dhcp-option DNS 192.168.2.1"
        openvpn-option "--cipher AES-256-CBC"
        openvpn-option --float
        openvpn-option "--tls-auth /config/auth/openvpn/keys/ta.key 0"
        openvpn-option "--tls-cipher DHE-RSA-AES256-SHA"
        protocol udp
        server {
            subnet 10.8.91.0/24
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ca.crt
            cert-file /config/auth/openvpn/keys/server.crt
            dh-file /config/auth/openvpn/keys/dh2048.pem
            key-file /config/auth/openvpn/keys/server.key
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description plex
        forward-to {
            address 192.168.2.103
            port 32400
        }
        original-port 32400
        protocol tcp_udp
    }
    rule 6 {
        description "OpenVPN TCP"
        forward-to {
            address 192.168.2.1
            port 1215
        }
        original-port 443
        protocol tcp
    }
    rule 7 {
        description "OpenVPN UDP"
        forward-to {
            address 192.168.2.1
            port 1215
        }
        original-port 1215
        protocol udp
    }
    wan-interface eth0
}

 

I tried to use a zone based firewall policy which confuses things somewhat.  Heres the policy:

 

Spoiler
zone-policy {
    zone LAN {
        default-action drop
        from WAN {
            firewall {
                ipv6-name wan-local-6
                name wan-local
            }
        }
        from local {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        interface eth1
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        from local {
            firewall {
                ipv6-name allow-all-6
                name allow-all
            }
        }
        interface eth0
    }
    zone local {
        default-action drop
        from LAN {
            firewall {
                ipv6-name lan-local-6
                name lan-local
            }
        }
        from WAN {
            firewall {
                ipv6-name wan-local-6
                name wan-local
            }
        }
        local-zone
    }

 

Any help is greatly appreciated.  I've tried all kinds of changes to make this work with no luck.  

New Member
Posts: 1
Registered: ‎01-03-2017

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Has anyone tried to make this work on the USG's?  I'm looking at implementing one and if I can add 2fa to it it makes it an easy win with the management team.

I'm just curious as the USG has OpenVpn integrated already how this would work out.

 

Thanks

New Member
Posts: 1
Registered: ‎06-17-2017

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

Hi and thanks for an excellent guide.

I did however encounter a few hickups.

At least on Android, I have to go to the openvpn connect settings and check "Force AES-CBC ciphersuites" for it to authenticate properly. Android also seem to import the CA certificate properly so that section in the profile can be omitted (but you also state it is for iOS so consider this just "bonus knowledge").

It also seems that you forgot to add

set interfaces openvpn vtun1 openvpn-option '--plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn'

 to your UDP "condensed" guide. This is rather important as your suggested settings for UDP currently allows users to login using only certificates.

 

Cheers! / Patrick

New Member
Posts: 14
Registered: ‎04-21-2016

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I am going to have a go at this over the weekend.

 

Should I use the version of Google Authenticator that has been linked to in the tutorial i.e 

 

http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_mips.deb

Or should I use the latest version

 

http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20170702-1_mips.deb
New Member
Posts: 16
Registered: ‎09-12-2015
Kudos: 1
Solutions: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

If you install the old version, you can use "sudo apt-get install --only-upgrade libpam-google-authenticator" at the command line to upgrade the package.  Newer version works fine for me.

New Member
Posts: 1
Registered: ‎06-13-2014

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

Hello everyone! First of all, I wish you all the best for this year!

 

Tested with ER5 on 1.9.7+h4 and work great on iOS (443/1194). Juste one thing that I don't understand; is about import certificate in the keychain to add a hardware-secure.

According with this tutorial, we need to send the .p12 via mail and install it in iPhone's setting.

The problem is on iOS 11 openvpn app do not recognize the cert, so the connection with the server can't be established. I think its only on iOS 11 that third app can't read profil in the setting .

I found an answer on the official FAQ openvpn, and I renamed the .p12 to .ovpn12 and I open that file directly from the openvpn app.

 

And its work!

Is it the same secure level ?? Do you guys have some other idea?? Cheers!

Regular Member
Posts: 554
Registered: ‎11-19-2012
Kudos: 294
Solutions: 6

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Guys - interested to know - would installing this 3rd party google authenticator package make it more likely that the usb key in the edgerouter will fail? is it particularly 'writey'?

New Member
Posts: 14
Registered: ‎02-17-2018
Kudos: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

This seems like the best place for this, so...

 

I recently upgraded the FW on my ERL and of course the VPN broke.  I documented the steps to get it back up and running which hopefully will hep others.   It's basically just a subset of the things the OP has in his initial posts

 

sudo -i

apt-get update

apt-get install libqrencode3

cd /config/downloaded-packages

dpkg -i libpam-google-authenticator_20170702-1_mips.deb

cd /etc/pam.d/

cp common-account openvpn

vi openvpn 

    add the following line to the file
    auth required pam_google_authenticator.so

Then you need to restore your .google_authenticator files for each user you set up an account for.  Luckily, they get stored in the old image (i.e. the one the ERL keeps around in case you have to revert to the old version due to issues)

 

So, for each user, you need to do the following:

cp /root.dev/w.o/home/<username>/.google_authenticator /home/<username>/.

chown <username> /home/<username>/.google_authenticator

chgrp users /home/<username>/.google_authenticator

I did have to restart OpenVPN after that to get it to recognize the pam update, but everything worked fine after that

New Member
Posts: 5
Registered: ‎08-04-2017

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

Thank you so much for your guide! Also, thanks to everyone else who commented with fixes as updates changed things.

I had to make several additional changes to the other comments here (or maybe I missed it). Hopefully this will help anyone else who is setting this up:

* I had to add another export option to vars:

echo "export KEY_ALTNAMES=***CUSTOMIZE***" >> ./vars

* I had to set '--reneg-sec 0' in the *server* options as well as in the *.ovpn - I read online that you must set it in both places in order to disable it, and that was my experience as well - I kept being forced to go through two-factor again every hour or so until I made this change.

set interfaces openvpn vtun0 openvpn-option '--reneg-sec 0'
set interfaces openvpn vtun1 openvpn-option '--reneg-sec 0'

In one case, I was wanting to use an edgerouter as a standalone openvpn server (instead of also as a router). For that, I just changed all references to eth0 to switch0, and forwarded 443 tcp and 1194 udp from the main firewall on to the edgerouter (which, in switch mode, had its management IP set to a normal IP on the lan). Worked fine.

Additionally, I also made some other changes so that cases where the client and server sides both have the same subnet could still work. To pull that off I:

* created two DNAT rules to redirect traffic from vtun0 + vtun1 that is targeting an obscure 10.XXX.XXX.0/24 "Dest Address" and translating it to the real local LAN's subnet.

* set up a "route 10.XXX.XXX.123 255.255.255.255" line in the *.ovpn file for a user whose desktop PC is really something like 192.168.1.123 ... (though of course, specifying .0 and .0 would work fine in the case when access to an entire subnet is necessary/desired)

* commented out all the route push statements in the server options

* (and in the case where the openvpn server wasn't the actual router, I added a persistent route on the PC in question (route -p add ....) to inform the PC about what gateway to use to respond to incoming openvpn traffic.)


With this setup, I'm able to allow access to specific network resources through openvpn, even with colliding subnets, without exposing any more of the network than is necessary. The client could mess about with their routing table, of course, but I think it's still a good safety measure.

New Member
Posts: 4
Registered: ‎09-19-2018

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Hello,
Thank you for this useful post !!
I've an issue regarding rights access on certificate like /config/auth/openvpn/keys
what rights you have ?
When I'm in configure mode I don't have sufficinet permissions on this folder tree ...
New Member
Posts: 2
Registered: Thursday

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I am having problems installing the libqrencode3.  I get the following error and don;tknow what to do next. Can someone help me?

 

root@PromEdgeMax:~# apt-get install libqrencode3
Reading package lists... Done
Building dependency tree... Done
Package libqrencode3 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

New Member
Posts: 14
Registered: ‎02-17-2018
Kudos: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste


@kcprom wrote:

I am having problems installing the libqrencode3.  I get the following error and don;tknow what to do next. Can someone help me?

 

root@PromEdgeMax:~# apt-get install libqrencode3
Reading package lists... Done
Building dependency tree... Done
Package libqrencode3 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source


Did you do an apt-get update as root beforehand?

New Member
Posts: 2
Registered: Thursday

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

First item - many thanks for being helpful as I am a true newbie and not well versed in Linux.  

 

I re-ran the apt-get upate taking care that I was root.  Here is what I got as error messages:


root@PromEdgeMax:/home/adminuser# apt-get update
Reading package lists... Done
root@PromEdgeMax:/home/adminuser# apt-get install libqrencode3
Reading package lists... Done
Building dependency tree... Done
Package libqrencode3 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package 'libqrencode3' has no installation candidate
 
I think the above verfies I am operating from root but please advise if that is not the case.
Please advise next troubleshooting step.

 

New Member
Posts: 1
Registered: ‎05-11-2017

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

I did 

 

configure

set system package repository wheezy components 'main contrib non-free'

set system package repository wheezy distribution wheezy

set system package repository wheezy url http://http.us.debian.org/debian

commit ; save

sudo apt-get update

apt-get install libqrencode3

 

 

Then for google authenticator I used the misel version because of an error I got during install.

 

curl -O http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_mipsel.deb

 

I still don't have the whole setup working, my google authentication code is not being accepted as the password.  Let me know how it works out for you.

Reply