[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Dual authentication help

Subject: Re: [Openvpn-users] Dual authentication help
From: Dimitri Yioulos <dyioulos@xxxxxxxxxxxxx>
Date: Mon, 12 Sep 2005 10:08:57 -0400

On Saturday 10 September 2005 6:28 am, Morten Christensen wrote:
> Dimitri Yioulos skrev den 09-09-2005 14:47:
> > Many thanks to you and to Charles for your responses.  I now have dual
> > authentication working!  I will certainly investigate using radius, as
> > I'm a security paranoid.
> >
> > Thanks, again.
> >
> > Dimitri
> >
> > On Thursday 08 September 2005 9:37 pm, Ed Wallig wrote:
> >> Hi Dimitri,
> >>
> >> Here's a good starting place - it uses RADIUS for user authentication.
> >> In my case, I'm using it in conjunction w/ IAS / Active Directory.
> >>
> >> http://openvpn.net/archive/openvpn-users/2005-04/msg00003.html
> >>
> >>
> >> Dimitri Yioulos <dyioulos@xxxxxxxxxxxxx> wrote:
> >>
> >> But, I think I'd like to implement dual authentication - ssl certs and
> >> user login.
>
> Could you make a description of, how you made the setup for the rest of
> us wanting to do the same thing ?

Happy to, but will also suggest reading the How-to.

In case I haven't mentioned it previously, my OpenVPN server sits in a DMZ.  I 
also have an iptables firewall/gateway.  Our PDC is a Win2k3 server (only Win 
server out of eight, I'm happy to say!).  With that said:

Firstly, winbind, but not smb, is enabled on the OpenVPN server, as a means of 
getting user uname and password from Win2k3 ADS.

Next, the following directive is added to server.conf

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login (obviously, 
find the location of your own openvpn-auth-pam.so)

I am pushing dns and WINS to the clients.  I'm not 100% sure if this is 
necessary or not.

Then, add the following directive in client.conf (or, in my case, client.ovpn, 
as I'm using OpenVPN gu):

auth-user-pass

I added the following route to my gateway:

-net ovpnnetworkipaddr netmask 255.255.255.0 gw ovpnserverinsideipaddr

That's about it.  Pretty simple, really.  Let me know if it works for you.

Dimitri

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- Re: [Openvpn-users] Dual authentication help
  - From: Ed Wallig
- Re: [Openvpn-users] Dual authentication help
  - From: Dimitri Yioulos
- Re: [Openvpn-users] Dual authentication help
  - From: Morten Christensen

Prev by Date: Re: [Openvpn-users] SSH like public key authentication
Next by Date: Re: [Openvpn-users] Windows x64 version?
Previous by thread: Re: [Openvpn-users] Dual authentication help
Next by thread: [Openvpn-users] log file
Index(es):
- Date
- Thread