Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ How to use OpenVPN and PrivacyIDEA build two-factor authentication for remote access     - Help you enhance Python programming languages 27 (Programming)

- To see the Linux device tree (Linux)

- JBPM6 Installation and Configuration Tutorial (Linux)

- Linux Network Analysis Tcpdump Command Guide (Linux)

- Install Java on RHEL6 (Linux)

- Acting on JavaScript events (Programming)

- Linux operating system must know the security command (Linux)

- Iptables application layer plug (Linux)

- You really do need to know a variety of programming languages (Programming)

- The mv command to move the directory two cases under Linux (Linux)

- CentOS install SVN server configuration and automatically synchronized to the Web directory (Server)

- Python context managers (Programming)

- mysqldump implement database logical backup (Database)

- Upgrading KDE Plasma 5.3 in Ubuntu 15.04 (Linux)

- High-performance JavaScript reflows and repaints (Programming)

- 12 kinds of detection of CPU information on a Linux system tools (Linux)

- Kubuntu 14.04 desktop to the user how to upgrade KDE 4.13.2 (Linux)

- How to understand Python yield keyword (Programming)

- Ubuntu 14.04 Nvidia proprietary drivers for install two graphic cards (Linux)

- Linux shell script debugging (Linux)

  How to use OpenVPN and PrivacyIDEA build two-factor authentication for remote access
  Add Date : 2018-11-21      
  For the company concerned, VPN remote access systems to meet the staff at home and travel on the way to access company IT resources has become a trend. However, the staff password management awareness is weak, and the attacker using social database attacks and other issues, often to the attacker provides a convenient channel. Use two-factor authentication system is a very effective means of password authentication strengthen. This current system more secure authentication, there are well-known RSA Security authentication system provides.

RSA offers a complete authentication solution, particularly RSA SecurID two-factor authentication solutions, has become the de facto standard in the field of the solution is easy to implement, mature, and reliable win broad trust in the field of information security. RSA's product coverage is very wide, in addition to the traditional hardware token device, or a soft token on a smart device use, very convenient.

But for small and medium sized companies in terms of this commercial use RSA authentication solutions costly. Often because IT budgets restricted the business-to-two-factor scheme choice.

Google Authenticator project is available for multiple mobile platforms generated one-time password software contains Pluggable Authentication Modules (PAM) implementation. By using open standards Initiative for Open Authentication (OATH, and OAuth different) to generate a one-time password. RFC 4226 support document defines HMAC-based one-time password (HOTP) algorithm and defined by the RFC 6238 document-based one-time password time (TOTP) algorithm.

With google-authenticator mature, openvpn and use two-factor authentication system combined, so entirely based on open source software to build secure remote access system possible.

OpenVPN is used to create a virtual private network (Virtual Private Network) encryption channel free and open source software. Use OpenVPN can easily between home, office space, hotels and other accommodation in different places to build LAN-like network access private network channel.

To use Google Authenticator PAM, and provide two-factor authentication has been achieved. However, management and maintenance is very troublesome, is not intuitive. Users must be a system account user to modify or pin code needed to generate a new token landing system, execute the command, for white users to use some difficulties, there will log a potential security risk. For administrators concerned, can not use the company's existing accounting system, you need to create another set of account management system on the authentication system.

PrivacyIDEA is a modular authentication system, an authentication server. Use privacyIDEA can enhance local login, VPN, remote access, SSH connection during authentication visit the website or portal is a good use of two-factor, improve the security of existing applications. It was originally used for OTP (One Time Password), OTP authentication device as a server. But the challenge other "devices" like the response, SSH keys and X509 certificates are also available. It can run on Linux systems and is completely open source.

PrivacyIDEA have a friendly management interface. Whether or system administrators to manage user administration, it can be very easy and convenient to complete the operation on the Web. PrivacyIDEA can read local files in the user database, users can also be read in the LDAP user. So that you can complete and the company's accounting system linkage, very convenient.

PrivacyIDEA of HOTP, TOTP use Google Authenticator. Thus, we use Google Authenticator of APP on your smartphone will be very convenient.

PrivacyIDEA provides three ways and OpenVPN integration. First, using PAM privacyidea_pam.py module. OpneVPN use PAM authentication, PAM module and call privacyidea_pam.py PrivacyIDEA do verification. Second, direct integration OpenVPN and FreeRADIUS. OpenVPN using radius authentication, FreeRADIUS to PrivacyIDEA verification. Third, the use of PAM RADIUS module in OpenVPN.

First, the principle of the program

Considering we use the second method: OpenVPN + FreeRADIUS + PrivacyIDEA. This program is very easy to debug, versatility is much better.



Related is the first step to initiate remote user VPN connections that provide authentication information. Then, OpenVPN FreeRADIUS to do the authentication and provide user authentication information. Then, FreeRADIUS by perl script to verify that the information is correct or not PrivacyIDEA. Then, PrivacyIDEA the verification results to FreeRADIUS, FreeRADIUS authentication and then send the result OpenvVPN. Finally, OpenvVPN view the results, authentication connection is successfully established. If authentication fails, disconnect, failed to send messages.

Second, the software installation and configuration

We operate on a specific operating system Ubuntu-Server14.04.

1. Installation Management PrivacyIDEA

1.1 System Time

TOTP one-time password is the same time, time-based or not directly related to the success or failure of authentication and token code. So, we need a terminal (mobile phone) and must privacyidea system clock synchronization.

Set the local time zone, open the ntp service.

1.2 Add PrivacyIDEA source

Command to add a warehouse or write directly in /etc/apt/sources.list.

## Add-apt-repository ppa: privacyidea / privacyidea
Or: vi /etc/apt/sources.list add warehouse.

deb http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu trusty main
deb-src http://ppa.launchpad.net/privacyidea/privacyidea/ubuntu trusty main
Warehouse upgrade: apt-get update.

1.3 Installation PrivacyIDEA

# Apt-get install privacyidea-apache2
After successful installation, you need to install dependencies, generate some certificates web use.

System administrators create privacyidea

# Pi-manager admin add ideauser -e ideauser@gmail.com
The default system administration page: https: // , login Web interface management system.

The installation is complete you can log management interface, manage your PrivacyIDEA up.
2. Installation and Configuration FreeRADIUS

PrivacyIDEA provides PrivacyIDEA version of FreeRADIUS. In fact, it is to do some configuration of FreeRADIUS. You can also directly install FreeRADIUS, and then do the configuration. We installed PrivacyIDEA version of FreeRADIUS.

2.1 Installation privacyidea-radius

# Apt-get install privacyidea-radius
Authentication type FreeRADIUS configuration is the Perl program, PrivacyIDEA use POST way Perl and interactive programs.

The default Perl program is /usr/share/privacyidea/freeradius/privacyidea_radius.pm.

In the FreeRADIUS configuration can be viewed.

2.2 Configuring FreeRADIUS

Configuration of RADIUS clients file.

# Vim /etc/freeradius/clients.conf
Default native is the RADIUS client, if there are other devices, added to the clients in.

Installation can test the service radius is normal.

3. Installation and Configuration OpenVPN.

3.1 Installing the software generates easy-rsa convenient certificate.

# Apt-get install easy-rsa
# Apt-get install openvpn
Install easy-rsa, convenient to generate the certificate.

3.2 Generating a Certificate

# Modify vars file

cd /usr/share/easy-rsa/2.0/

vim vars

# Modify the certificate information.

export KEY_COUNTRY = "CN"
export KEY_PROVINCE = "BeiJing"
export KEY_CITY = "BeiJing"
export KEY_ORG = "NetOps"
export KEY_EMAIL = "netops@netops.com"
export KEY_OU = "netops"
# Initialize the environment variables

source vars
# Generate a root certificate, root key, the server certificate, server key, Diffie-Hellman key, ta.key file.

./build-key-server OpenVPN
openvpn --genkey --secret keys / ta.key
Certificate file will be generated in the current directory under the keys.

3.3 Configure OpenVPN

# Copy the server configuration file to / etc / openvpn.

cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf / etc / openvpn /
# Edit the configuration file

According to the needs, modify the protocol, network segment, the certificate key, push routing, DNS and so on. as follows:

port 1194
proto tcp
dev tun
ca /usr/share/easy-rsa/2.0/keys/ca.crt
cert /usr/share/easy-rsa/2.0/keys/server.crt
key /usr/share/easy-rsa/2.0/keys/server.key
dh /usr/share/easy-rsa/2.0/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
push "route"
push "dhcp-option DNS"
keepalive 10 120
tls-auth /usr/share/easy-rsa/2.0/keys/ta.key 0
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 5
Start OpenVPN, testing can start, early resolve.

3.4 Configuring packet forwarding and firewall

3.4.1 Open packet forwarding

# Echo "1"> / proc / sys / net / ipv4 / ip_forward
# Vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
3.4.2 Configure the firewall

#iptables -I INPUT -p tcp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
#iptables -t nat -A POSTROUTING -s -j MASQUERADE
Remember to save iptables and boot from Kai.

4. Install Radiusplugin

Radiusplugin is OpenVPN support RADIUS authentication plug-ins.

In http://www.nongnu.org Download radiusplugin the package.

4.1 install gcc c ++ libgcrypt

# Apt-get install gcc g ++ libgcrypt11
4.2 compiler Radiusplugin

Unzip the package into the directory, use the command make to compile.

4.3 Configuring Radiusplugin

Copy files and directories radiusplugin.cnf radiusplugin.so file to the / etc / under openvpn.

Modify radiusplugin.cnf file.

# Vim radiusplugin.cnf
acctport = 1813
authport = 1812
name =
retry = 1
wait = 1
sharedsecret = testing123
sharedsecret must freeradius clients.conf in sharedsecret consistent.

5. Modify OpenVPN configuration file again

Modify OpenVPN configuration file, the client uses username and password authentication. OpenVPN use RADIUS authentication:

5.1 modify the configuration file server.conf

# Vim /etc/openvpn/server.conf
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
6. Restart the service test

6.1 Restart Services

/etc/init.d/radiusd restart
/etc/init.d/openvpn restart
6.2 Configuring OpenVPN client

Install OpenVPN client. Download the root certificate ca.crt, ta.key directory OpenVPN config file to the installation directory, and then configure the client xx.ovpn file.

Message as follows:

dev tun
proto tcp
remote 1194
resolv-retry infinite
ca ca.crt
ns-cert-type server
tls-auth ta.key 1
verb 3
Note: If the client when installed on a Windows system, open to use administrator privileges, otherwise the system will not push to add VPN routes. If there are multiple VPN services, you can root certificate ca.crt, ta.key xx.ovpn files and client files to the same place under the same directory config.

6.3 Test

PrivacyIDEA specific use, you can view the official documentation, you can also view my finishing .

Recommended test three steps: 1 Test PrivacyIDEA services are functioning correctly, token authentication is successful. 2. Test RADIUS service is normal, RADIUS and PrivacyLDEA verification was successful. 3. Test OpenVPN authentication is successful. Follow the prompts to be able to determine the basic problem, then we can solve.

Install google-authtication in the smart phone to generate a two-dimensional code on the PrivacyIDEA. Then, open google-authtication, sweep the Add Account. This time you will be able to see 30 seconds changed once the token code. Then, in the [Tokens] interface, test token pin code or token code is correct PrivacyIDEA of.

Command radtest test FreeRADIUS and PrivacyIDEA is normal. You can also use the debug mode on FreeRADIUS FreeRADIUS service, easier troubleshooting.

Then use the OpenVPN client to test whether authentication is successful. Problems can view the OpenVPN log.

Note: Radiusplugin sometimes a problem because the version given on CentOS. You can change a version of the compiler.

Because the version of the problem, you need to install FreeRADIUS directly, then you need to modify the FreeRADIUS authentication type privacyidea_radius.pm bit Perl program and download the file. The best configuration changes FreeRADIUS, I remember versions 2.x and 3.x versions are not the same.
- Linux kernel RCU (Read Copy Update) lock Brief - prequel (Linux)
- 10 tips daily Docker (Server)
- Increase ssh security service under Linux (Linux)
- PostgreSQL 9.4.3 Installation and Configuration under CentOS 6.5 (Database)
- RMAN backup file is much larger than the size of the database Cause Analysis (Database)
- Timeout control related to Python threads and a simple application (Programming)
- Oracle 11g RMAN cross-platform transfer table space (Database)
- Java inner classes (Programming)
- Linux IPTables anti-DDOS attack Shell Scripting (Linux)
- Ubuntu Apache virtual host configuration (Server)
- Python closure and function objects (Programming)
- Use the top command (Linux)
- GRUB and Linux system repair (Linux)
- Learn to read the source code of vmstat (Linux)
- C + + secondary pointer memory model (pointer array) (Programming)
- Oracle 11g tracking and monitoring system-level triggers to drop misuse (Database)
- Ubuntu uses under KVM + Qemu virtual machine build (Linux)
- Django1.8 return json json string and the string contents of the received post (Programming)
- CentOS 6.5 installation configuration DRBD (Server)
- Mysql binlog resolve the garbage problem decryption (Database)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.