diff options
| author | RageLtMan <rageltman [at] sempervictus> | 2022-08-17 21:03:50 -0400 | 
|---|---|---|
| committer | RageLtMan <rageltman [at] sempervictus> | 2022-08-18 09:58:59 -0400 | 
| commit | 0b3bfe97b617b08ab9fd6682a0875c75c8a7bc5c (patch) | |
| tree | b526179a6450d199374a5fc42559de9ddcab4e61 | |
| parent | a87ada1c4e9d5a426282c900207964d09d2a1020 (diff) | |
| download | vyos-1x-0b3bfe97b617b08ab9fd6682a0875c75c8a7bc5c.tar.gz vyos-1x-0b3bfe97b617b08ab9fd6682a0875c75c8a7bc5c.zip | |
T3896: Use group selector and forced dns tunneling
Enterprise RADIUS configurations often utilize group selectors for
authentication and attribute distribution for connecting clients.
Ocserv implements this functionality via the `select-group` config
file attribute, repeating for multiple groups. When a user selects
their membership group and the request is passed to the RADIUS
server, ocserv will match the returned Class attribute against the
value selected by the user. This functionality also works for local
group membership resolution, although VyOS currently doesn't have
group membership configuration for this.
Expose the tunnel-all-dns option in the ocserv config file allowing
users who deploy default routes to select split-dns and those who
do not to enable full DNS tunneling.
Testing:
  Smoketests & build
  Configured groups in openconnect profile and verified existence
in /run/ocserv/ocserv.conf
  Configured forced dns tunneling and verified presence of setting
in /run/ocserv/ocserv.conf
| -rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 20 | ||||
| -rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 30 | 
2 files changed, 47 insertions, 3 deletions
| diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 1cbb52ccf..5d5a4101b 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,11 +7,11 @@ run-as-user = nobody  run-as-group = daemon  {% if "radius" in authentication.mode %} -{%      if "yes" in authentication.radius.groupconfig %} +{%     if "yes" in authentication.radius.groupconfig %}  auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" -{%      else %} +{%     else %}  auth = "radius [config=/run/ocserv/radiusclient.conf]" -{%      endif %} +{%     endif %}  {% elif "local" in authentication.mode %}  {%     if authentication.mode.local == "password-otp" %}  auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -66,6 +66,13 @@ device = sslvpn  dns = {{ dns }}  {%     endfor %}  {% endif %} +{% if network_settings.tunnel_all_dns is vyos_defined %} +{%     if "yes" in network_settings.tunnel_all_dns %} +tunnel-all-dns = true +{%     else %} +tunnel-all-dns = false +{%     endif %} +{% endif %}  # IPv4 network pool  {% if network_settings.client_ip_settings.subnet is vyos_defined %} @@ -89,3 +96,10 @@ route = {{ route }}  split-dns = {{ tmp }}  {%     endfor %}  {% endif %} + +{% if authentication.groups is vyos_defined %} +# Group settings +{%     for grp in authentication.groups %} +select-group = {{ grp }} +{%     endfor %} +{% endif %}
\ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 3ab8dd815..54f93344b 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,16 @@                    </leafNode>                  </children>                </node> +              <leafNode name="groups"> +                <properties> +                  <help>Groups that a client is allowed to select from. Maps to RADIUS Class attribute.</help> +                  <valueHelp> +                    <format>txt</format> +                    <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> +                  </valueHelp> +                  <multi/> +                </properties> +              </leafNode>                #include <include/auth-local-users.xml.i>                <node name="local-users">                  <children> @@ -298,6 +308,26 @@                    <multi/>                  </properties>                </leafNode> +              <leafNode name="tunnel-all-dns"> +                <properties> +                  <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help> +                  <completionHelp> +                    <list>yes no</list> +                  </completionHelp> +                  <valueHelp> +                    <format>yes</format> +                    <description>Enable tunneling of all DNS traffic</description> +                  </valueHelp> +                  <valueHelp> +                    <format>no</format> +                    <description>Disable tunneling of all DNS traffic</description> +                  </valueHelp> +                  <constraint> +                    <regex>(yes|no)</regex> +                  </constraint> +                </properties> +                <defaultValue>no</defaultValue> +              </leafNode>              </children>            </node>        </children> | 
