Messages

1

Virtual private networks / VPN - Radius authentication - collecting client IP

« on: November 24, 2021, 12:40:51 pm »

I use openVPN as client connection tool.
I need the OPNSENSE to transmit the client IP address to the radius server, through an radius-attribute.
How can we acheive that ?
When I do a packet capture, I don't see any attribute transmitted by the firewall that contains the client IP.

Thanks for the help

2

General Discussion / Re: Captive Portal - import - export

« on: October 14, 2021, 02:53:19 pm »

Solved.
Need to connect in ssh and copy vouchers*.db file from the /conf

3

Virtual private networks / how to Request openVPN Client to prompt for (TOTP) in a second popup

« on: October 14, 2021, 02:49:13 pm »

I'm running a solution with and windows NPS as radius authentication server.
The radius server request additionnal challenge after user/passwd (in a second step).
It works more or less:
The user get prompted a first time with username/password, then a second time with the same popup window.(still asking for user and password).
 If I fill in the TOTP, then the authentication succeed and the client is connected.

But, this is really not user intuitive or friendly.
I would like the openVPN client to prompt the user / password in first step, as it is now, but then, for the second challenge, it should show up with a new popup windows, with a single field : "please enter OTP".
How can I acheive that ?
It should be possible, as I can see that miniorange is proposing it with the openvpn client.


Here are the logs of a successfull connexion:
First, at 12:14:44, the authentication is rejected
the connexion seems to be restarted and accepted the second time with the TOTP.
I think something more "clean" would be nicer


2021-10-15 12:14:37 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-10-15 12:14:37 OpenVPN 2.5_rc3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 19 2020
2021-10-15 12:14:37 Windows version 10.0 (Windows 10 or greater) 64bit
2021-10-15 12:14:37 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-10-15 12:14:42 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:42 UDP link local (bound): [AF_INET][undef]:0
2021-10-15 12:14:42 UDP link remote: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:42 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-10-15 12:14:43 [wwww] Peer Connection Initiated with [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:44 AUTH: Received control message: AUTH_FAILED
2021-10-15 12:14:44 SIGUSR1[soft,auth-failure] received, process restarting


2021-10-15 12:14:57 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:57 UDP link local (bound): [AF_INET][undef]:0
2021-10-15 12:14:57 UDP link remote: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:57 [xxxxxx] Peer Connection Initiated with [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:57 open_tun
2021-10-15 12:14:57 tap-windows6 device [Connexion au réseau local 4] opened
2021-10-15 12:14:57 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.14.6/255.255.255.252 on interface {xxxxx} [DHCP-serv: 10.0.14.5, lease-time: 31536000]
2021-10-15 12:14:57 Successful ARP Flush on interface [13] {xxxxx}
2021-10-15 12:14:57 IPv4 MTU set to 1500 on interface 13 using service
2021-10-15 12:15:02 Initialization Sequence Completed

4

General Discussion / Captive Portal - import - export

« on: August 25, 2021, 01:18:51 pm »

I need to export voucher database from one FW to a new one (Replacement after failure)
When I do a config backup, and restore, the vouchers database is loast.
Where / how can I export existing vouchers and re-import then on the new FW ?

Thanks for the helps