Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Using no backend for authentication ?

    OpenVPN
    1
    2
    665
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexxtasi last edited by

      Hi all!!

      newbie here so be patient please…  :)

      1st question:
      while in my setting, user authentication is done with an external software which communicates with openvpn via PAM, I was wondering if I can setup an openvpn server without having to define user backend.

      2nd question:
      in the above setting (with user backend defined...), in server.conf lines "user nobody" and "group nobody" are commented (when I uncomment them user authentication fails). Isn't there a security problem ?

      thank you

      1 Reply Last reply Reply Quote 0
      • A
        alexxtasi last edited by

        hi again…

        I found these :

        1st question:
        while in my setting, user authentication is done with an external software which communicates with openvpn via PAM, I was wondering if I can setup an openvpn server without having to define user backend.

        found out that creating an openvpn server with the "+" icon (not using the wizard) I can define "Server mode: Remote Access (SSL/TLS)" and not be forced to define an backend authentication scheme. So adding in the client conf the directive "auth-user-pass" the client asks me for credentials and those are pushed in the PAM…
        it works fine till now

        2nd question:
        in the above setting (with user backend defined…), in server.conf lines "user nobody" and "group nobody" are commented (when I uncomment them user authentication fails). Isn't there a security problem ?

        with the above modifications, the users connect's as a local pfsense user (haven' t try more than one simultaneous connections).
        Uncommenting "user nobody" and "group nobody" directives in server.conf (via command line tool) and restarting the server, the user login fails with:

        openvpn[48542]: TCP connection established with [AF_INET]x.x.x.x:1499
openvpn[48542]: x.x.x.x:1499 WARNING: Failed running command (--tls-verify script): could not execute external program
openvpn[48542]: x.x.x.x:1499 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
openvpn[48542]: x.x.x.x:1499 TLS Error: TLS object -> incoming plaintext read error
openvpn[48542]: x.x.x.x:1499 TLS Error: TLS handshake failed
openvpn[48542]: x.x.x.x:1499 Fatal TLS error (check_tls_errors_co), restarting

        though I haven't changed anything in the setup…

        any suggestions on this error, or any advice on the use of "user nobody", "group nobody" directives ?

        regards

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy