How to Use OpenVPN and PrivacyIDEA to establish two-factor authentication Remote Access

Source: Internet
Author: User
Tags perl script rsa securid freeradius

How to Use OpenVPN and PrivacyIDEA to establish two-factor authentication Remote Access

For the company, IT has become a trend to allow employees to access the company's IT resources at home or on a business trip through the VPN remote access system. However, weak employee password management awareness and attacks by attackers using social engineering libraries often provide convenient channels for attackers. The two-factor authentication system is very effective in password verification. At present, there are many such security identity authentication systems, famous for being the security identity authentication system provided by RSA.

RSA provides a complete identity authentication solution, especially the RSA SecurID two-factor Identity Authentication solution, which has become a de facto standard in this field, this solution is widely trusted in the information security field for its ease of implementation, maturity, and reliability. RSA has a wide range of products. In addition to traditional hardware token devices, it also has soft tokens used on smart devices, which is very convenient.


However, for small and medium enterprises, the cost of using commercial identity authentication solutions such as RSA is high. The lack of IT budget often limits enterprises' choice of two-factor solutions.

The Google Authenticator Project is a software implementation that can be used to generate one-time passwords on multiple mobile platforms, including the implementation of the pluggable verification module (PAM. Generate a one-time password by using the Open Standard Initiative for Open Authentication (OATH, different from OAuth. Supports the HMAC-based one-time password (HOTP) algorithm defined in RFC 4226 and the time-based one-time password (TOTP) algorithm defined in RFC 6238.

With the maturity of google-authenticator, the use of openvpn and two-factor authentication systems makes it possible to build a secure remote access system completely based on open source software.

OpenVPN is a free open-source software used to create a Virtual Private Network (VPC) encrypted channel. OpenVPN allows you to easily build a dedicated network channel similar to a LAN between different network access sites, such as home, office, and hotel accommodation.

Google Authenticator has been used in PAM to provide two-factor authentication. However, management and maintenance are troublesome and not intuitive. The user must be a system account. If you modify the pin code or generate a new token, You need to log on to the system and execute commands. This poses some difficulties for the use of the Account, and may cause potential security risks when you log on to the system. Administrators cannot use the company's existing account system. They need to create and manage another account system on the authentication system.

PrivacyIDEA is a Modular Authentication System that authenticates servers. PrivacyIDEA can be used to enhance local logon, VPN, remote access, and SSH connections. Access to websites or portals during authentication is a two-factor solution that improves the security of existing applications. It was initially used for OTP (one-time password) and used as an OTP server as an authentication device. However, in response to challenges such as other "devices", SSH keys and X509 certificates can also be provided. It can run in Linux and is completely open-source.

PrivacyIDEA has a friendly management interface. Whether it is administrator management system or user management, you can easily complete operations on the Web. PrivacyIDEA can read users in local files, users in databases, and users in LDAP. In this way, it is very convenient to interact with the company's account system.


PrivacyIDEA's HOTP and TOTP use Google Authenticator. In this way, it is very convenient for us to use Google Authenticator apps on smartphones.

PrivacyIDEA provides three methods for integration with OpenVPN. First, use the privacyidea_pam.py module of PAM. OpneVPN uses PAM Authentication. PAM calls the privacyidea_pam.py module and PrivacyIDEA for verification. Second, directly integrate OpenVPN and FreeRADIUS. OpenVPN uses radius Authentication, and FreeRADIUS authenticates to PrivacyIDEA. Third, use the radius pam module in OpenVPN.

I. Solution Principle

The second method is OpenVPN + FreeRADIUS + PrivacyIDEA. This solution is very easy to troubleshoot and has better versatility.

Schematic:

OpenVPN


First, the remote user initiates a VPN connection to provide authentication information. OpenVPN then authenticates FreeRADIUS and provides user authentication information. FreeRADIUS then uses a perl script to verify whether the information is correct to PrivacyIDEA. Then, PrivacyIDEA sends the verification result to FreeRADIUS, and FreeRADIUS sends the authentication result to OpenvVPN. Finally, check the OpenvVPN results and establish a connection. If the authentication fails, disconnect and send the failed message.

Ii. software installation and configuration

We perform specific operations on the operating system Ubuntu-Server14.04.

1. Install and manage PrivacyIDEA

1.1 system time

TOTP is a one-time password based on time. The consistency of time is directly related to the token code and the success or failure of authentication. Therefore, the clock must be synchronized between the terminal (mobile phone) and the privacyidea system.

Set the local time zone and enable the ntp service.

1.2 add PrivacyIDEA Source

Command to add a repository or directly write it in/etc/apt/sources. list.

  1. # Add-apt-repository ppa: privacyidea/privacyidea

Or: vi/etc/apt/sources. list to add a repository.

  1. Deb http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu trusty main
  2.  
  3. The deb-src http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu trusty main

Repository upgrade: apt-get update.

1.3 install PrivacyIDEA

  1. # Apt-get install privacyidea-apache2

After the installation is successful, you need to install the dependency package to generate some web-used certificates.

Create a privacyidea System Administrator

  1. # Pi-manager admin add ideauser-e ideauser@gmail.com

Default System Management page: https: // <you local_ip>. log on to the Web interface and manage the system.

After the installation is complete, you can log on to the management interface to manage your PrivacyIDEA.

Some interface diagrams:

 


Continue ......

2. install and configure FreeRADIUS

PrivacyIDEA provides the PrivacyIDEA version of FreeRADIUS. In fact, FreeRADIUS has made some configurations. You can also directly install FreeRADIUS and configure it. We have installed FreeRADIUS's PrivacyIDEA version.

2.1 install privacyidea-radius

  1. # Apt-get install privacyidea-radius

FreeRADIUS configures a Perl program as the authentication type. PrivacyIDEA uses POST to interact with the Perl program.

The default Perl program is/usr/share/privacyidea/freeradius/privacyidea_radius.pm.

You can view the configuration in FreeRADIUS.

2.2 configure FreeRADIUS

Configure the clients file of the RADIUS.

  1. # Vim/etc/freeradius/clients. conf

By default, the local machine 127.0.0.1 is the RADIUS client. If there are other devices, add them to clients.

After the installation is complete, you can first test whether the radius service is normal.

3. install and configure OpenVPN.

3.1 install the software easy-rsa to facilitate certificate generation.

  1. # Apt-get install easy-rsa
  2.  
  3. # Apt-get install openvpn

Install easy-rsa to facilitate certificate generation.

3.2 generate a certificate

# Modifying vars files

Cd/usr/share/easy-rsa/2.0/

Vim vars

# Modify certificate information.

  1. Export KEY_COUNTRY = "CN"
  2. Export KEY_PROVINCE = "BeiJing"
  3. Export KEY_CITY = "BeiJing"
  4. Export KEY_ORG = "NetOps"
  5. Export KEY_EMAIL = "netops@netops.com"
  6. Export KEY_OU = "netops"

# Initializing Environment Variables

  1. Source vars

# Generate the root certificate, Root key, server certificate, server key, Diffie-Hellman key, and ta. key Files.

  1. ./Clean-all
  2. ./Build-ca
  3. ./Build-key-server OpenVPN
  4. ./Build-dh
  5. Openvpn -- genkey -- secret keys/ta. key

The generated Certificate file is under the keys directory of the current directory.

3.3 configure OpenVPN

# Copy a server configuration file to/etc/openvpn.

  1. Cp/usr/share/doc/openvpn-2.3.2/sample-config-files/server. conf/etc/openvpn/

# Editing the configuration file

Modify the protocol, CIDR Block, certificate key, push route, DNS, and so on as needed. As follows:

  1. Port 1194
  2. Proto tcp
  3. Dev tun
  4. Ca, usr, share, easy-rsa, 2.0, keys, ca, crt
  5. Cert/usr/share/easy-rsa/2.0/keys/server. crt
  6. Key/usr/share/easy-rsa/2.0/keys/server. key
  7. Dh/usr/share/easy-rsa/2.0/keys/dh2048.pem
  8. Server 192.168.10.0 255.255.255.0
  9. Ifconfig-pool-persist ipp.txt
  10. Push "route 10.0.0.0 255.0.0.0"
  11. Push "dhcp-option DNS 10.10.10.10"
  12. Keepalive 10 120
  13. Tls-auth/usr/share/easy-rsa/2.0/keys/ta. key 0
  14. Comp-lzo
  15. Persist-key
  16. Persist-tun
  17. Status openvpn-status.log
  18. Log openvpn. log
  19. Log-append openvpn. log
  20. Verb 5

Start OpenVPN and test whether OpenVPN can be started.

3.4 configure packet forwarding and Firewall

3.4.1 enable packet forwarding

  1. # Echo "1">/proc/sys/net/ipv4/ip_forward
  2. # Vim/etc/sysctl. conf
  3. Net. ipv4.ip _ forward = 1

3.4.2 configure the firewall

  1. # Iptables-I INPUT-p tcp -- dport 1194-m comment -- comment "openvpn"-j ACCEPT
  2. # Iptables-t nat-a postrouting-s 192.168.10.0/24-j MASQUERADE

Remember to save iptables and start it on startup.

4. Install Radiusplugin

Radiusplugin is an OpenVPN extension that supports RADIUS Authentication.

Download the radiusplugin source package in the http://www.nongnu.org.

4.1 install gcc c ++ libgcrypt

  1. # Apt-get install gcc g ++ libgcrypt11

4.2 compile Radiusplugin

Decompress the package, enter the directory, and use the make command to compile the package.

4.3 configure Radiusplugin

Copy the radiusplugin. cnf file and radiusplugin. so file in the directory to/etc/openvpn.

Modify the radiusplugin. cnf file.

  1. # Vim radiusplugin. cnf
  2. Server
  3. {
  4. Acctport = 1813
  5. Authentication Port = 1812
  6. Name = 127.0.0.1
  7. Retry = 1
  8. Wait = 1
  9. Sharedsecret = testing123
  10. }

The sharedsecret must be consistent with the sharedsecret in freeradius clients. conf.

5. Modify the OpenVPN configuration file again.

Modify the OpenVPN configuration file and use the username and password to authenticate the client. OpenVPN uses RADIUS Authentication:

5.1 modify the configuration file server. conf.

  1. # Vim/etc/openvpn/server. conf
  2. Client-cert-not-required
  3. Username-as-common-name
  4. Plugin/etc/openvpn/radiusplugin. so/etc/openvpn/radiusplugin. cnf

6. Restart the service and Test

6.1 restart the service

  1. /Etc/init. d/radiusd restart
  2. /Etc/init. d/openvpn restart

6.2 configure the OpenVPN Client

Install the OpenVPN client. Download the ca. crt and ta. key files of the root certificate to the config directory of the OpenVPN installation directory, and then configure the client xx. ovpn file.

The information is as follows:

  1. Client
  2. Dev tun
  3. Proto tcp
  4. Remote <youipaddress> 1194
  5. Resolv-retry infinite
  6. Nobind
  7. Persist-key
  8. Persist-tun
  9. Ca. crt
  10. Ns-cert-type server
  11. Tls-auth ta. key 1
  12. Comp-lzo
  13. Verb 3
  14. Auth-user-pass

Note: If the client is installed on a Windows system, you must use the Administrator permission to open it. Otherwise, the system will not add the route pushed by the VPN. If there are multiple VPN services, you can place the root certificate ca. crt, ta. key File and client xx. ovpn file in the same directory under config.

6.3 Test

For more information about how to use PrivacyIDEA, see the official documentation or <PrivacyIDEA Management>.

It is recommended to test in three steps: 1. test whether the PrivacyIDEA service is running normally and whether the token Authentication is successful. 2. test whether the RADIUS service is normal and whether the RADIUS and PrivacyLDEA verification are successful. 3. Test whether OpenVPN authentication is successful. Based on the prompts, you can determine the problem and then solve it.

Install google-authtication on your smartphone and generate a QR code on PrivacyIDEA. Then, Open google-authtication and scan to add an account. At this time, you can see the token code changed once every 30 seconds. Then, on the PrivacyIDEA [Tokens] interface, test whether the token pin code or token code is correct. As follows:



Run the radtest command to test whether FreeRADIUS and PrivacyIDEA are normal. You can also use FreeRADIUS's debug mode to enable the FreeRADIUS service for troubleshooting.

Use the OpenVPN client to test whether the authentication is successful. If you have any questions, you can view the OpenVPN log.

Note: Radiusplugin sometimes reports an error due to version issues on CentOS. You can compile it in another version.

Due to version issues, if you need to install FreeRADIUS directly, you need to first modify the FreeRADIUS authentication type Perl program and download the privacyidea_radius.pm file. It is best to modify the configuration of FreeRADIUS. Remember that version 2.x is different from version 3.x.

Introduction


Xiao Lei graduated from Xi'an University of Posts and Telecommunications in 2014. He is now a network engineer of  and is responsible for office networks, wireless networks, and VPN. He enjoys network and linux technologies.

This article permanently updates the link address:


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.