OpenVPN Server

[sassyn]

Hi All,

Thank you for the amazing tool! I still however have few questions... I would like to build a RPM/DEB file of this great software, But I still can't figure out how to do the OpenVPN intgeartion.

I have manage to install Gate and do the SAML integration with my G-Suite accounts. So user from my organisation can access to his/her Gate Account and download the OpenVPN Profile and Google MFA QR Code.

Based on the https://github.com/gate-sso/gate/blob/master/scripts/gen-client-keys, you can see the OpenVPN client is using auth-user-pass, meaning that the user needs to provide some username + password when he tried to connect. The question raised which User/Password the user needs to put in?

For example, when using the OpenVPN server side with the default PAM plugin, any legitimate user, who exists and configure on the server (via the /etc/passwd), can easily login with the OpenVPN Client.

The same goes if the server is configure with a LDAP or NIS Service (with the help of NSS - nsswitch.conf), and the PAM module is configure to allow LDAP authentication (or even Kerberos). In general as long as the user information can be retrieve (via LDAP), and the right PAM authentication is enable (LDAP or Kerberos), user can connect to the OpenVPN server with there LDAP Username / Password.

Note: There is also a OpenVPN LDAP plugin which do a direct call to the LDAP server, without using the PAM (but this is not what I'm referring here).

One more thing to note is that If Google Authenticate is configure, and it's PAM module is enable, then the Google module will look for the user OTP in it's default Home Directory, and on a OTP match (meaning user provide the right OTP) user longing.

For example, consider this configure as /etc/pam.d/openvpn

auth requisite pam_google_authenticator.so forward_pass auth required pam_krb5.so use_first_pass

Where the OpenVPN sever file is configure with the PAM plunging as follow: plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

This means that the OpenVPN service is configure to use PAM with the /etc/pam.d/openvpn profile which is define to provide a Kerberos authentication followed by OTP. So when user connect to the OpenVPN and prompt for username and password, he/she needs to provide the username and the "password + the OTP code), and walla - user is connected.

Back to the Gate solution, it is unclear to me:

1. How to configure the PAM module (https://github.com/gate-sso/pam_gate). In the docs it say to configure the /etc/pam.d/common-auth with the pam_gate, but it never says with which token I should use. ex: auth sufficient pam_gate.so url=https:// token= account sufficient pam_gate.so url=https:// token=

2. Same question goes for nss_gate.

3. How the MFA works? where is the Google Auth key saved? In the MySQL DB?

4. There is some Setting-up Public Key Lookup with the /usr/bin/gate_ssh.sh in the pam_gate repo, but my guess that this is for the user for him to upload his public key to the server where he could go SSH with his/her private key. It might be for using the OpenVPN client as well, but I'm not sure.

5. Could you please provide the missing part of how to configure the OpenVPN Server? I looked in the code, but there is nothing which point out how to configure the server side, while the doc says: "If you want Gate to setup VPN for you then just install OpenVPN with easy rsa. Gate should just work fine with it."

Thanks for the help! Sassy

[ajeygore]

Hey Sassy, Thanks for the comment, I will get back to you asap.

[sassyn]

any feedback?

[sassyn]

?

[ajeygore]

I will get back to you tomorrow.

On Tue, 12 May 2020 at 4:37 AM, Sassy Natan notifications@github.com wrote:

?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gate-sso/gate/issues/183#issuecomment-626948039, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABIV7T5CH247ZYR3HLP46DRRBOXZANCNFSM4MW7NIFQ .

-- Thanks

Ajey

[ramilexe]

@ajeygore any updates?

[ajeygore]

Ramil, I will start working on it this week hopefully.

Ajey

On Tue, 25 Aug 2020 at 00:59, Ramil Amerzyanov notifications@github.com wrote:

@ajeygore https://github.com/ajeygore any updates?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gate-sso/gate/issues/183#issuecomment-679248322, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABIV7VQEZCNULQF6JLNW4LSCKL77ANCNFSM4MW7NIFQ .

-- Thanks

Ajey

[ajeygore]

Gate moved to Wireguard https://github.com/gate-sso/gate-wireguard