4. Using no backend for authentication ?

Using no backend for authentication ?

  • A

    Hi all!!

    newbie here so be patient please…  :)

    1st question:
    while in my setting, user authentication is done with an external software which communicates with openvpn via PAM, I was wondering if I can setup an openvpn server without having to define user backend.

    2nd question:
    in the above setting (with user backend defined...), in server.conf lines "user nobody" and "group nobody" are commented (when I uncomment them user authentication fails). Isn't there a security problem ?

    thank you

    0
  • A

    hi again…

    I found these :

    1st question:
    while in my setting, user authentication is done with an external software which communicates with openvpn via PAM, I was wondering if I can setup an openvpn server without having to define user backend.

    found out that creating an openvpn server with the "+" icon (not using the wizard) I can define "Server mode: Remote Access (SSL/TLS)" and not be forced to define an backend authentication scheme. So adding in the client conf the directive "auth-user-pass" the client asks me for credentials and those are pushed in the PAM…
    it works fine till now

    2nd question:
    in the above setting (with user backend defined…), in server.conf lines "user nobody" and "group nobody" are commented (when I uncomment them user authentication fails). Isn't there a security problem ?

    with the above modifications, the users connect's as a local pfsense user (haven' t try more than one simultaneous connections).
    Uncommenting "user nobody" and "group nobody" directives in server.conf (via command line tool) and restarting the server, the user login fails with:

    openvpn[48542]: TCP connection established with [AF_INET]x.x.x.x:1499
openvpn[48542]: x.x.x.x:1499 WARNING: Failed running command (--tls-verify script): could not execute external program
openvpn[48542]: x.x.x.x:1499 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
openvpn[48542]: x.x.x.x:1499 TLS Error: TLS object -> incoming plaintext read error
openvpn[48542]: x.x.x.x:1499 TLS Error: TLS handshake failed
openvpn[48542]: x.x.x.x:1499 Fatal TLS error (check_tls_errors_co), restarting

    though I haven't changed anything in the setup…

    any suggestions on this error, or any advice on the use of "user nobody", "group nobody" directives ?

    regards

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy