Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenVPN - Enhance tunnel networks with nopool and dedicated ifconfig-… #7568

Open
wants to merge 13 commits into
base: master
Choose a base branch
from

Conversation

Reiner030
Copy link

…pool + ifconfig-ipv6-pool parameters to give static IP client overrides a chance to use an unallocated IP

Reiner030 added 9 commits May 15, 2024 13:51
…eset active

Else Windows client can't connect+route with wrong default topology_subnet parameter,
has yet no push_register_dns and no keepalive parameters available for override

Additionally --push-remove opt could be implemented as a better alternative for
push-reset:

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

--push-remove opt
	selectively remove all --push options matching "opt" from the option
	list for a client. "opt" is matched as a substring against the whole
	option string to-be-pushed to the client, so --push-remove route would
	remove all --push route ... and --push route-ipv6 ... statements,
	while --push-remove 'route-ipv6 2001:' would only remove IPv6 routes
	for 2001:... networks. -push-remove can only be used in a client-specific
	context, like in a --client-config-dir file, or --client-connect script
	or plugin -- similar to --push-reset, just more selective.

	NOTE: to change an option, --push-remove can be used to first remove
	the old value, and then add a new --push option with the new value.
usage dependencies.

Actually difficult to find the "correct" password+otp_token order
because mainly OpenSense matches with the "wrong" order where found
and the RFC writes only about Kerberos Authentication which is totally
different.

But here examples for the order password+otp_token knew since years:

https://download.fudosecurity.com/documentation/fudo/5_1/online_help/en/main/en/users_auth_oath.html
https://networkjutsu.com/freeradius-google-authenticator/
https://github.com/evgeny-gridasov/openvpn-otp
https://docs.rcdevs.com/howtos/pfsense/pfsense/
https://docs.rcdevs.com/howtos/radius_bridge/rb_manual/
https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa

so maybe bests the authenticate() function / calls needs to be extended
from (user, password) to (user, password, otp_token) to avoid unneccesary
copy/extract/reorder processes which seems to be only in these files:

src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php
src/opnsense/mvc/app/library/OPNsense/Auth/IAuthConnector.php
src/opnsense/mvc/app/library/OPNsense/Auth/API.php
src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
src/opnsense/mvc/app/library/OPNsense/Auth/Local.php
src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php
src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php
src/opnsense/scripts/openvpn/user_pass_verify.php
src/www/diag_authentication.php src/www/xmlrpc.php
* "keepalive 10 60" was fix setup in line opnsense#528 of openvpn.inc so GUI based
  "Keep alive interval" and "Keep alive timeout" fields couldn't be used.
* also both variables keepalive-interval and keepalive-timeout were
  overseen for setup in OpenVPN.php for writing config file
…pool + ifconfig-ipv6-pool parameters to give static IP client overrides a chance to use an unallocated IP
…pool + ifconfig-ipv6-pool parameters to give static IP client overrides a chance to use an unallocated IP
This commit/PR depends on PR
opnsense@5f13d0a
in file src/etc/inc/plugins.inc.d/openvpn.inc which was line 999-1001
and is actual line 991-993:

            if (!empty($server['topology_subnet'])) {
                $conf .= "push \"topology subnet\"\n";
            }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant