OPNsense Forum
English Forums => Documentation and Translation => Topic started by: lshantz on September 03, 2019, 03:49:45 am
-
Greetings. This will be my first post, so be gentle. I recently made the switch to Opnsense from PF and now need to get everything running. One of the things I'm trying to do, is multi-factor authentication. Here is where I'm getting my instructions from: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
Where I'm stuck is this line: Go to VPN ‣ OpenVPN ‣ Servers and click the pencil icon next to the server we just created to change the 2FA to multi factor authentication.
There simply is NO such place to make this change. So is there an undocumented package that needs installing? As a result the following steps don't work and a certificate is not exported. I'm so close! Any help appreciated. It is just a missing piece of the puzzle, or a change has been made to the system and this didn't get updated. ??
-
Did you add the 2FA server in System : Access : Servers? There you can add a "Server" like local+TOTP, label it and then you select it via OpenVPN. Sometimes things are too easy to overlook :)
-
I'm not sure I understand. I DO have in that area, Free Radius Authentication, Type Radius, I have Radius 2 factor, type local+Time based one time password, and local database. The only other options I see are LDAP, LDAP+time based, and Voucher. Nothing about 2FA.
In the above instructions, the inference is there is a choice to make, which in my case there simply is no choice. Check it out for yourself and see what you see? I can do screen shots if you have that selection.
-
You need local+TOTP, isn't it what you want? pfsense only supports 2FA via Radius, but OPN has it natively onboard :)
-
No, that is not quite correct. What you are proposing is 2 factor authentication. That works fine. What I want to do is multi authentication. That consists of a password, the TOTP server or like Google authentication, AND a certificate. If you follow the link I posted, you would see exactly what should be happening. What I'm asking is what part of the documentation is wrong and how do I get past this error, or.... what step is not documented that I'm missing. Since I can not do what it claims I should be able to do.
-
Update: I did not mention that in that link you have to drop down to the bottom to step 4. If you go all the way to the end, and then page up, that should put you almost right where I am referencing.
-
I wish I could edit past posts. Oh well.. Here, I just will paste the relevant part:
Step 4 - Multi Factor Authentication
-------------
For two factor authentication you need the factors username/password and a token. OPNsense supports another layer, namely a user certificate. This means that every user will be uniquely identified by the user certificate. In this case the multi factors are:
User certificate
Username/Password
Token (TOTP)
Go to VPN ‣ OpenVPN ‣ Servers and click the pencil icon next to the server we just created to change the 2FA to multi factor authentication.
Now change Server Mode to Remote Access (SSL/TLS + User Auth) and leave everything else unchanged. Click Save on the bottom of the form.
-
Hm, seems this was refactored long time ago and not updated in the docs. Can you just try your 2FA server as backend authentication and use "Remote Access (SSL / User Auth)" as server mode? This should be enough
-
The system works flawlessly without the multi-factor. When you add the certificate portion, the export should contain the key. I don't know how manually add a certificate. I would really like to get back to multi-factor authentication. Hopefully someone will see this that knows the answer.
-
Okay, so the forums have not produced an answer. How can I escalate this to the programmers so it can be fixed? Produce a bug report? I am not sure it is really a bug. More like an oversite, but I need this function badly.
-
There is no bug, go to your desired user and add a certificate.
-
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/sslvpn_client.rst#adding-a-user
The docs clearly state to add a certificate AND an otp seed.
-
One thing to add - with certificates./. something I noticed with moving from pfsense.
In Opnsense, when creating user certificates, using an internal CA.. remember to use the "Create Internal Certificate" option and do not create a CSR and sign it using the OpenVPN-CA as this ends up with an external user cert which is not associated with the OpenVPN CA.. even though it was signed with with the CA cert... if you do this then the user certificate does not appear in the client export section.. pfSense seems to handle this differently, thohught it was worth a mention here.
-
Okay guys, enough with the snarky replies. They serve NO purpose to help me or anyone else that is looking for help. It appears that some pound out a reply without really looking at the original post or the attached documents. If you have no interest in helping that is fine, move on.
1. IF it use to work, and the documents say it should do X, but it does NOT do X.. if it isn't a bug.. it is a feature that has been lost and apparently they are unaware.
2. Someone says add a certificate and OTP seed. Really!? Where did you see where I said I did NOT add a certificate or the OTP information. . The instructions clearly show those are steps.
3. Someone actually put some thought into a response. Thank you! I did double check to make sure it is an internal certificate, but alas, that is not the problem apparently. The exported file does not contain the certificate. I'm betting in the interim I'm going to have to learn how to manually insert the certificate into the ovpn file.
Just to make sure you understand the issue more clearly, here is an old openvpn exported file from Pfsense that worked!
----------------
dev tun
persist-tun
persist-key
cipher AES-256-CFB
ncp-disable
auth SHA256
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194 udp
setenv opt block-outside-dns
verify-x509-name "freeradius-temp-server" name
auth-user-pass
remote-cert-tls server
compress
<ca>
-----BEGIN CERTIFICATE-----
MIIF9TCCA92gAwIBAgIBADANBgkqhkiG9w0BAQsFADBbMRQwEgYDVQQDEwtpbnRl
cm5hbC1jYTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkFaMRAwDgYDVQQHEwdHaWxi
ZXJ0MRcwFQYDVQQKEw5uYXRlcy5keW51Lm5ldDAeFw0xODEyMTQwNDA3MzdaFw0y
IXdf9Wp/2faQ28h46S8+Ru3sEFKYprZIiWprn2+qxWyay3rGbM0gQR/wIsW5lriO
hx0B+UqKqxXaADv8UdZN5I7ZztbU5QmhKlhXn1HUz2CEzqZvFnbKS0I=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIF1zCCBL+gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCVVMx
DjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHEwZBdXN0aW4xJjAkBgNVBAoTHUV4YW1w
k1VdPtS+A83DCmIHUhLB5HE+IhzJp3hLbaLMUQNI2wSLEgBILQ4DZ6rACa65Mp8I
+TtwMPZYaddVNuplmF5wDEzmaERSpe5b3vp5HN0jSHV8mhDe0iOxdvpwwqmegFSM
Wm3j8WW34eBFuND2Hg+x84QX6bJ4gXF5WLMn2Qw/X+vHdokXho0DhdqZVGkt9GaH
IphbC8YO8KizfZ93rRou6GgfuQ7kKp3GJf6All5YsUGiksIRkFQgEBKMpxFXoTJ2
CL3wLx/MbU/JmxY=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC7PH+KTB6laRSf
MsgjUQ8pXGIHM2RQj9kWRvsgjmhxdMKhiOP8je/sfHn0L4En6fqsFUC6TtlRvMJm
ECPsVxxri8v9EiOev7ZC5c8ANYvjRAbOXB0WuJCE1+xEnkNceMbYDEx/Os20ejuM
d9mSw0np7FA3dRoe6YFf2jfymbkvefM=
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f5a06eb2a805028073dce630647b2d7b
d5e792ce9a318395ee64d278bc68b0fc
6ced042b140b2eb4254ba3084502a514
c960ed2a4c9010c1491365b285745e86
-----END OpenVPN Static key V1-----
</tls-auth>
--------------
As you can see the certificates are added to the export. Below is a sample of what is currently being exported from the opnsense vpn export utility:
dev tun
persist-tun
persist-key
cipher AES-256-CFB
auth SHA256
client
resolv-retry infinite
reneg-sec 0
remote x.x.x.x 1194 udp
lport 0
verify-x509-name "C=US, ST=AZ, L=Phoenix, O=x
, emailAddress=x.com,
CN=Internal-ca, subjectAltName=URI:https://x.com" subject
remote-cert-tls server
auth-user-pass
comp-lzo adaptive
pkcs12 x.p12
tls-auth OpenVPN_x.key 1
---------------------
I AM seeing one MAJOR difference and this may be key! I assume the .p12 and .key are references to certificates, but they are not seeing those files. The program that I use on the Mac does not recognize those, so only imports the ovpn file! I may have stumbled across an application incompatibility with how it is being processed. It looks like Pfsense exports as one flat file, and opnsense exports as 3 individual files! I'll report back.
-
When you select "File only" (the default) you get an .ovpn file invluding the certificates in the same file appended. If you do not get that it is indeed a bug or corrupt config.
I get a correct ovpn file on 19.7.4_1.(https://uploads.tapatalk-cdn.com/20190914/19454fb619fb63eaacafd8dfe1bdc9f0.jpg)
-
DING DING DING!! We have a winner.
I just figured it out and logged on to report back. You are absolutely correct. Mine was defaulted to zip file. This is not mentioned in the instructions, and I just made a bad assumption and when we figured that out, we logged in first time.
So the instructions really need updating to reflect the current rev of Opnsense/OpenVPN setup! So even though there is no longer a button to go from 2FA to Multi, it doesn't matter. Just follow the instructions to that point, know that there is no button, create your certificates, export as a flat file and you should be good to go.