OPNsense Forum
English Forums => General Discussion => Topic started by: ikkeT on October 08, 2017, 04:00:48 pm
-
Hi,
I have been happily using VPN with OTP for a while. Now I would need to setup a VPN for some remote raspberry pi clients. I'd collect data from them over VPN. My question would be, can I add somehow exception for openvpn to not use one time password for those clients, but rather fixed passwords? Or just certs?
Like many web services have an option for "legacy" clients to have fixed passwords, like google talk clients.
-ikke
-
How about a second OpenVPN server with a different TLS key and different security policy? Two or more OpenVPN servers can happily co-exist if they listen on separate ports.
Bart...
-
Thanks, I was trying to avoid running two openvpn servers. I suppose I have to, unless someone still knows a way to have e.g. different auth backend for certain users.
-
You can select multiple auth services, but it probably only works with remote access (user auth) mode and making sure that two different users don't have logins on both authentication backends.
Cheers,
Franco
-
Thanks, adding the both works. But I assume there is no way of selecting in which backed to add the user to? I suppose all users will be both in internal auth and in TOTP, so using either one for password would work, which is not optimal.
-
Hi Ikke,
Yes, TOTP is a Local Database add-on. You can e.g. use Freeradius plugin to add your non-TOTP users there.
Cheers,
Franco
-
Hi Ikke,
Yes, TOTP is a Local Database add-on. You can e.g. use Freeradius plugin to add your non-TOTP users there.
Cheers,
Franco
Thanks, I'm not familar with freeradius. I however installed the plugin. I did not enable the freeradius server, as I don't think I need it for anything at home. Looking at the freeradius users menues, I can't see either of the users created via opnsense user management. Should I see them there, or would they be visible if I enabled freeradius server?
Any other ways to add non TOTP users?
-
Hi Ikke,
Yes, TOTP is a Local Database add-on. You can e.g. use Freeradius plugin to add your non-TOTP users there.
Cheers,
Franco
Thanks, I'm not familar with freeradius. I however installed the plugin. I did not enable the freeradius server, as I don't think I need it for anything at home. Looking at the freeradius users menues, I can't see either of the users created via opnsense user management. Should I see them there, or would they be visible if I enabled freeradius server?
Any other ways to add non TOTP users?
Ultimately, it would be great if the user management tab in accounts would have an option to exclude TOTP from selected user. Can I use some command line tool to do that, like usermod?
-
Freeradius users are separate, they don’t show under system and shouldn’t.
What do you mean by exclude users from TOTP? Users without a secret can’t do TOTP anyway, but maybe you mean disable raw password login for these users with secrets?
-
Freeradius users are separate, they don’t show under system and shouldn’t.
What do you mean by exclude users from TOTP? Users without a secret can’t do TOTP anyway, but maybe you mean disable raw password login for these users with secrets?
I mean non-human users. Like a remote location IoT gateway, which at boot creates VPN to home network. It then tunnels mqtt and possibly video etc protocols to server on home network. And for maintenance I can connect to remote devices behind tunnel for maintenance. The use case is monitoring a cottage house far away, and possibly drive heating of the location.
For such GW (raspi) I'd need fixed pwd + cert, or just cert. For any human users coming from laptop or mobile, pwd + otp + cert combo is required.
Now all that would work in OPNSense openvpn server, if I only could point given users skip OTP.
I have tried toggling the auth backend to OTP or local users db. Both do work, TOTP+passwd, or just pwd. But not both selectively for different users.
Point being, not all VPN users are human, and (only) those should bypass the OTP. Very basic requirement.
-
It’s not basic enough. :) Still, if you don’t create your machine users under system but use freeradius plugin this works... just make sure there are no overlap accounts.