OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: sfty1 on May 20, 2019, 09:47:39 am

Title: [SOLVED] Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 09:47:39 am
Hi,
i'm struggling with static IPs via CCD in an openvpn+radius setup.
I tried to use the username as common name, but when i add an override via the GUI, there is NO file created in the CCD directory. Can this be a bug?

Code: [Select]
dev ovpns3
verb 4
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
engine rdrand
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server3"
tls-server
server 10.69.14.0 255.255.254.0
client-config-dir /var/etc/openvpn-csc/3
verify-client-cert none
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Active Directory RADIUS,Active Directory Radius DC2,Local Database' 'false' 'server3'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'safety+io+OpenVPN+Server' 1"
lport 443
management /var/etc/openvpn/server3.sock unix
max-clients 500
push "route 10.69.0.0 255.255.240.0"
push "dhcp-option DOMAIN mydomain.local"
push "dhcp-option DNS 10.69.14.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
route 10.69.0.0 255.255.252.0
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server3.tls-auth 0
comp-lzo no
persist-remote-ip
float
reneg-sec 0

Update: When I manually create a file with my username, it's working. But from the GUI there is absolutly no effect.
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: mimugmail on May 20, 2019, 10:01:08 am
Why do you use ccd and radius? This doesnt make sense. You can assign IPs and set routes via radius attributes
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 10:53:29 am
Is it working now?

see:
https://forum.opnsense.org/index.php?topic=5883.0

I tried it, and it's ignored...
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: mimugmail on May 20, 2019, 11:12:52 am
In one of the 18.1 releases it was introduced if I remember correct.
You have to disable the CSC's and set the correct backend. Can you try with FreeRadius plugin or do you use a different source?
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 11:35:52 am
Quote
You have to disable the CSC's and set the correct backend
How to disable it? I removed all entrys in the "VPN: OpenVPN: Client Specific Overrides" section. But there is no change in the config file. "client-config-dir /var/etc/openvpn-csc/3" is still present.

I'm using System: Access: Servers -> Radius to authenticate against an Active Directory.

Wireshark tells me, that i'm delivering this to the OPNsense Box:
Code: [Select]
        AVP: t=Framed-IP-Address(8) l=6 val=10.14.1.222
        AVP: t=Framed-Route(22) l=24 val=10.14.0.0/30 0.0.0.0 1

The feature seems to be present on the installation:
Quote
grep -ri framed /usr/local/etc/inc/plugins.inc.d/
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php:    if (!empty($props['Framed-IP-Address']) && !empty($props['Framed-IP-Netmask'])) {
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php:        $cidrmask = 32-log((ip2long($props['Framed-IP-Netmask']) ^ ip2long('255.255.255.255'))+1, 2);
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php:        $result['tunnel_network'] = $props['Framed-IP-Address'] . "/" . $cidrmask;
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php:    if (!empty($props['Framed-Route']) && is_array($props['Framed-Route'])) {
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php:        $result['local_network'] = implode(",", $props['Framed-Route']);


Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: mimugmail on May 20, 2019, 11:38:14 am
And what does OpenVPN log on OPNsense and client say?
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 11:42:16 am
it's pushing the normal ip from the pool without something special. The static IP is not appearing.
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: mimugmail on May 20, 2019, 11:53:38 am
Can you install FreeRadius, switch backend and give it a try to sort out the problem?
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 01:07:37 pm
I did it. Auth works, but no special IP will be assigned....
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 03:01:05 pm
fyi:

Attributes received from server:
Framed-IP-Address => 10.69.14.222
Framed-IP-Netmask => 255.255.255.252
Framed-Route => 10.69.14.0/23

This is delivered from the local freeradius Server. But Openvpn is ignoring it :-/

OPNsense 19.1.8-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2r 26 Feb 2019

UPDATE: This was a fail information. The setup worked in this version for the first time.
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: mimugmail on May 20, 2019, 04:49:32 pm
Can you post a screenshot of your server config so I can reproduce?
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 20, 2019, 04:51:19 pm
sorry, i think i found the root cause:
"Framed-IP-Netmask => 255.255.255.252" was missing on the NPS.

In my tests I switched between the 19.1.8 release (test) and the 18.7.8 release (productive).
I debugged with printing out the variables in /usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php with
file_put_contents('/tmp/debug.txt', print_r($result, true)); in parse_auth_properties.

In both versions, all attributes are available. But in release 18.7.8 it has no effect on the config.
I will schedule an upgrade of the productive instance and see if it will be fixed.

But the most important thing to find out, was that I had to read the source code, to understand, what attributes are needed.

There is an logic AND for Framed-IP-Address and Framed-IP-Netmask.
Otherwise it will not work.

I'm still wondering, why the bug is in 18.7.8, but no matter, I'll upgrade soon.

Thank you very much for the help :)
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 22, 2019, 09:22:08 am
I finally managed it to deploy the new version to production.
The freeradius user is working fine (IP will be assigned), but the Microsoft NPS User doesn't (standard pool IP assigned). All users are stored in the active directory, so it makes no sense to create them additionally in freeradius.

Both arrays are containing the same value:
Code: [Select]
# diff -s radius-free radius-nps
Files radius-free and radius-nps are identical

Array content:
Code: [Select]
Array
(
    [tunnel_network] => 10.69.14.222/30
)

Debug method:
Code: [Select]
function parse_auth_properties($props)
{
    $result = array();
    if (!empty($props['Framed-IP-Address']) && !empty($props['Framed-IP-Netmask'])) {
        $cidrmask = 32-log((ip2long($props['Framed-IP-Netmask']) ^ ip2long('255.255.255.255'))+1, 2);
        $result['tunnel_network'] = $props['Framed-IP-Address'] . "/" . $cidrmask;
    }
    if (!empty($props['Framed-Route']) && is_array($props['Framed-Route'])) {
        $result['local_network'] = implode(",", $props['Framed-Route']);
    }
    file_put_contents('/tmp/radius', print_r($result, true));
    return $result;
}

As both arrays are identical, what can be the reason for the different behavior?
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 22, 2019, 09:45:26 am
i'm debugging further....
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 22, 2019, 10:36:40 am
radsniff gives details about the difference:

Freeradius Reply:
Code: [Select]
Framed-Protocol = PPP
Framed-IP-Address = 10.69.14.222
Framed-IP-Netmask = 255.255.255.252
Authenticator-Field = 0xbfe77857212958100f5edfc83775f335

NPS Reply:
Code: [Select]
Framed-Protocol = PPP
Framed-IP-Address = 10.69.14.222
Framed-IP-Netmask = 255.255.255.252
Class = 0x8f4908ef00000137000102000af014140000000028451f2733b4e06501d50a53e29d8d4300000000000066ca
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
Authenticator-Field = 0xca44113b745f5b92f3da7058f3b512c6

Does the Class, MS-Link-Utilization-Threshold, MS-Link-Drop-Time-Limit break some functions in the opnsense scripts? I'm really wondering what's happening here.
Title: Re: Client Specific Overrides + Radius Auth + OpenVPN
Post by: sfty1 on May 22, 2019, 11:34:26 am
Hi,

I finally managed to solve my issue by going trough the sourcecode. I left a debug file, with the same username as in the freeradius test, in the ccd dir *facepalm*. Radius attributes never worked during my tests.

The solution is:
1. Select "Force CSO Login Matching" in the GUI of the server Configuration
2. Use Framed-IP-Address AND Framed-IP-Netmask

After this, the files are being created in the folder:
/var/etc/openvpn-csc/3/

The only thing is, that they aren't removed. But no matter, it works  8)