FR: OpenVPN respects Framed-IP-Address from Radius

opnsense / core

OPNsense GUI, API and systems backend

https://opnsense.org/

BSD 2-Clause "Simplified" License

3.3k stars 735 forks source link

FR: OpenVPN respects Framed-IP-Address from Radius #2348

Closed mimugmail closed 6 years ago

mimugmail commented 6 years ago

To achieve there should be

authentication wrapper script should recognize Framed-IP-Address attribute (already done: https://github.com/opnsense/plugins/pull/485#issuecomment-357460986)
In CSC a checkbox "Respect Radius IP" and then write value from Framed-IP-Address and Framed-IP-Network in csc file:

ifconfig-push Framed-IP-Address Framed-IP-Network

Since ifconfig-push is the same as "IPv4 Tunnel Network" in CSC, the checkbox should disable "IPv4 Tunnel Network" or a if check when enabled to alter the value of "IPv4 Tunnel Network" when set.

mimugmail commented 6 years ago

yep .. only using certs and shared key, no user/pw in client config.

If you like I can always offer teamviewer session etc.

AdSchellevis commented 6 years ago

ok, thanks, it looks like https://github.com/opnsense/core/blob/870b17e09ef8e97711bc6518e910e7a23c47acdb/src/etc/inc/plugins.inc.d/openvpn.inc#L603 is a bit late to the party here.

mimugmail commented 6 years ago

If I can test a patch let me know, the client at the production site now uses a different VPN so I can test anytime :)

AdSchellevis commented 6 years ago

@mimugmail can you check https://github.com/opnsense/core/commit/9d35f1719896925b774875f266830c3436affdeb ? it looks like client-connect sends the location, which is different then the auth workflow.

mimugmail commented 6 years ago

It's working great now, thanks! But now with the latest master I can't start clamav anymore .. @fichtner ?

root@pme-fw:~ # /usr/local/etc/rc.d/clamav-clamd start
Starting clamav_clamd.
Illegal option -c
Usage: man opnsense-shell
/usr/local/etc/rc.d/clamav-clamd: WARNING: failed to start clamav_clamd

fichtner commented 6 years ago

This is my fault, though I’m not sure WTH is wrong with it. It should first an foremost push a command to su, not a parameter “-c”

fichtner commented 6 years ago

You can revert d12a59460 for now

AdSchellevis commented 6 years ago

@mimugmail thanks for testing, closing it now.

fichtner commented 6 years ago

second try https://github.com/opnsense/core/commit/15ec336

mimugmail commented 6 years ago

Works! :)

mimugmail commented 6 years ago

@AdSchellevis can you check this one? https://forum.opnsense.org/index.php?topic=9322.0

Seems the guys also has a solution but you know better :)

AdSchellevis commented 6 years ago

@mimugmail you need the logs to know for sure, if you don't cleanup the cso file, it logically picks it up the next time, but has the disadvantage that the profile used might be different then expected.