twilio / authy-openvpn Goto Github PK

ubuntu@ip-10-164-101-57:~$ sudo authy_vpn_add_users
/usr/sbin/authy_vpn_add_users: line 125: /etc/openvpn/server.conf: No such file or directory

I'm unable to find .dll files for OpenVPN GUI for Windows Desktop.
I managed to follow all the instructions to use authy in Ubuntu Server OpenVPN (One of the most detailed I found 🥇 )
Now I would like to end the installation, any help would be appreciated.
Thank you in advance.

Currently is beings store in /etc/authy-vpn.conf

See http://www.infoworld.com/article/3184582/security/critical-flaw-alert-stop-using-json-encryption.html

Your post-install script shows json being used:

add_configuration "$server_conf" "plugin $plugin https://api.authy.com/protected/json $key $pam"

Also, the post-install script or your docs should describe setup that doesn't depend on the post-install script, since some OpenVPN servers will be running multiple daemons on various IPs and ports, whose config files are best edited by hand.

See #9 for details.

Could You add Authy OneTouch support?

Hi,

I would like to add sms functionality even when there is a authy app.

Regards,

Areeb

I've started working on a PR for getting this working on OpenVPN running under FreeBSD, and I've hit a wall that I can't overcome. I'm so close, but this seems to require some expertise in C, which I don't have.

For starters, here are some specs on my OpenVPN server:

• FreeBSD: 10.3 RELEASE
• 64 bit
• Running inside a FreeBSD jail
• GCC: 4.8.5
• OpenVPN: 2.3.11

To get to the point where I am now, I essentially built an OpenVPN server, and configured it fully. Tested and everything was working. Then I started on the Authy bits. Here are some of the commands that I've run so far:

mkdir -p /usr/local/src
cd /usr/local/src
curl -L "https://github.com/authy/authy-openvpn/archive/master.tar.gz" -o authy-openvpn.tar.gz
tar xf authy-openvpn.tar.gz
cd authy-openvpn-master
pkg install gcc bash
mkdir build
make && make install
sed 's/\#!\/bin\//\#!\/usr\/bin\/env /g' scripts/post-install > scripts/post_install.freebsd
chmod 755 scripts/post_install.freebsd
scripts/post_install.freebsd

At this point, I provided my API Key, and said yes to use PAM. I also had to make a couple of changes to the authy-vpn-add-user script. I changed the #! to be #!/usr/bin/env bash and changed the paths for each place where the script assumed that my OpenVPN install was in /etc. It is in /usr/local/etc. With that working, I added my user successfully.

Now for the meat of it. When I attempted to restart the OpenVPN server, I got this error message in my system log:

PLUGIN: could not find required symbol 'openvpn_plugin_close_v1' in plugin shared object /usr/lib/authy/authy-openvpn.so: Undefined symbol "openvpn_plugin_close_v1"

It looks as if FreeBSD may not be supported by Authy, so I know that this is a stretch. If I can get this working, I intedn to submit a pull request with updates to the docs, and the bash scripts to include FreeBSD, so if you can help me figure out what is going on here, I'll be doing what I can to give something back.

Please let me know what other questions you have.

I don't know where the bug is - in openvpn plugin management or in this plugin, but we are seeing some very strange behaviour whilst the authy plugin is active in that the connection will hang after transferring ~100MiB of data. It is related to the amount of data and not the amount of time since connecting and it does not happen with the authy plugin disabled. Maybe a buffer overflow / stack smashing destroying some data structure somewhere?

Ubuntu 16.04

OpenVPN 2.3.13 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 3 2016
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08

LDAP (authy-openvpn-ldap) support appears to be dropped in the latest version:

"PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/authy/authy-openvpn.so
ldap_bind with zero-length password is forbidden."

It appears 2014 version of the plugin works still.

Docs should mention that reneg-sec default is 1 hour ( 3600 seconds ), and failure to bump this, or set to 0 will result in you having to reauth frequently

reneg-sec 0

What if I want to allow users via AD and then use Authy

For safety, our openvpn server config contains these entries so that the daemon isn't running as root once initialization is complete:

user nobody
group nogroup

The Authy VPN configuration file /etc/openvpn/authy/authy-vpn.conf should be owned by nobody, but seems to get taken back by root on restarting the VPN. Client connections then fail because the openvpn process running as nobody cannot read the file.

chown nobody authy-vpn.conf fixes it, until the next restart.

For OpenVPN 2.3.x below config was fine
plugin /usr/lib/authy/authy-openvpn.so https://api.authy.com/protected/json <AUTH-KEY> nopam

For OpenVPN 2.4 plugin must has 2 arguments so must be:
plugin "/usr/lib/authy/authy-openvpn.so" "https://api.authy.com/protected/json <AUTH-KEY> nopam"
So three params for plugin must be in quotes. If not then in log:
Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/openvpn.conf:336: plugin (2.4.0)
and openvpn doesn't start.

Command to install authy in openvpn.conf must be fixed.

This plug-in should have support for sending 'auth-token' to clients, to avoid authentication failing on re-negotiations without the server using --auth-gen-token.

For more info:

Generates token: https://gitlab.com/openvpn/openvpn/commit/270dc91164013eb7ace34d7b098fa11a97aef847
Authenticates token: https://gitlab.com/openvpn/openvpn/commit/703c9784f4dcd4f77166201074c21c6ea4aeb033

This is the implementation inside the core OpenVPN for the --auth-gen-token, there are more related commits to this too. But these two is the core feature.

Any plug-ins supporting --client-connect should be able to write a configuration entry which can contain --push statements which are sent to the client. This authentication plug-in should make use of that feature to do a "push auth-token $RANDOM_STRING".

[update: point at proper commits]

When trying to transfer large files, the client side of VPN just hangs. At the exact moment that it does so, I see an entry server side in the logs that looks like:

Jan 31 16:39:05 serverName openvpn[13868]: gervais-laptop/my.ipaddress.com:49549 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/authy/authy-openvpn.so

Server side:

openvpn --version
OpenVPN 2.3.14 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  7 2016
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Originally developed by James Yonan
Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

This is the stock openvpn server:

yum info openvpn

Installed Packages
Name        : openvpn
Arch        : i686
Version     : 2.3.14
Release     : 1.el6
Size        : 951 k
Repo        : installed
From repo   : epel
Summary     : A full-featured SSL VPN solution
URL         : http://openvpn.net/
License     : GPLv2
Description : OpenVPN is a robust and highly flexible tunneling application that uses all
            : of the encryption, authentication, and certification features of the
            : OpenSSL library to securely tunnel IP networks over a single UDP or TCP
            : port.  It can use the Marcus Franz Xaver Johannes Oberhumer's LZO library
            : for compression.

Do you want help editing the server.conf? (y/n): y

--> Do you want us to automatically edit server.conf for you?

Is /etc/openvpn/server.conf your openvpn server configuration? (y/n): n

--> Is /etc/openvpn/server.conf the path to your openvpn server configuration?

Which and where is your openvpn server configuration? /etc/openvpn/openvpn.conf

--> Enter path to your openvpn configuration:

Are you using or going to use openvpn with pam and Authy? (y/n): n

--> Are you using openvpn with PAM? (y/n): n