Closed monkz closed 1 year ago
prtrx
commented
1 year ago This would be really nice to have. Especially in combination with auth-gen-token-secret. This way we could use roaming between multiple OPNsense devices while using passwords that contain OTP tokens.
monkz
commented
1 year ago Thanks 🙂
Reiner030
commented
11 months ago Hi,
this feature is not completely implemented.
Because my answer in forum was just one day after this unknown patch I checked my interface why I have overseen this still in last months...
=> compared to renec-sec it's missing in some PHP web files to get configured:
root@fw01:~ # grep -rl reneg-sec /usr/local/
/usr/local/sbin/openvpn
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
/usr/local/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
/usr/local/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
/usr/local/include/openvpn-plugin.h
/usr/local/www/vpn_openvpn_server.php
/usr/local/www/vpn_openvpn_client.php
grep: /usr/local/openssl/misc/tsget: No such file or directory
/usr/local/etc/inc/plugins.inc.d/openvpn.incin the $copy_fields; $init_fields variables and also in the table part with help entries in server, client and client export pages: (im our case I have put both parameters as server option + server push option to clients so they can be changed serverside without need to update also all client configurations )
root@fw01:~ # grep -rl auth-gen-token /usr/local/
/usr/local/sbin/openvpn
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
/usr/local/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
/usr/local/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
grep: /usr/local/openssl/misc/tsget: No such file or directory
fichtner
commented
11 months ago PRs welcome :)
Reiner030
commented
11 months ago yes, that would be "hard" work in an plaintext editor ;)
Sadly lost my changes made half a year ago caused by unexpected NVRAM SSD crash and I saw the plan that the "Advanced" textarea would be deleted in near future... So several updates needed to get a secure implementation takeoverr to OPNsense
server 10.30.1.0 255.255.255.0 nopool
ifconfig-pool 10.30.1.20 10.30.1.200
tls-version-min 1.3
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ncp-ciphers AES-256-GCM:AES-192-GCM:AES-128-GCM
auth-gen-token 43200
mssfix 1420
push "mssfix 1420";
reneg-sec 3600
push "reneg-sec 3600"If maybe helpful for defaults I can search for the inspriation blog article to these settings; maybe needs after 2 years again some finetuning ^^
First 2 lines where to reserve IP addresses in front/end of range for special users like admins or external services with different firewall rules..
fichtner
commented
11 months ago To be blunt posting a random full configuration blob and not saying where which particular setting is missing is not helpful.
Steps to reproduce from GUI + expected (configuration file) outcome is required for a sane bug report.
Reiner030
commented
11 months ago Sorry, forgotten to ask if the missing part of auth-gen-token which is from this PR missing should be a standalone patch or can be included in bigger one
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
To allow clients to authenticate with an OTP as part of their password, reneg-sec has to be set to 0. This allows users to stay connected longer than 1 hour.
But to allow ping-restart auth-gen-token is needed, as the OTP is invalid at this time.
Basically: https://forum.opnsense.org/index.php?topic=25124.0
Describe the solution you like
Add auth-gen-token to OpenVPN Server Configuration
Describe alternatives you considered Setting the option in the advanced configuration - but the field says it will be deprecated.