diff options
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 12 | ||||
| -rw-r--r-- | interface-definitions/interfaces-openvpn.xml.in | 23 | ||||
| -rw-r--r-- | op-mode-definitions/openvpn.xml.in | 16 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 18 | ||||
| -rwxr-xr-x | src/op_mode/show_openvpn_mfa.py (renamed from src/op_mode/show_openvpn_2fa.py) | 12 |
5 files changed, 48 insertions, 33 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 644eb805f..3104203ad 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -127,14 +127,10 @@ push "dhcp-option DNS6 {{ nameserver }}" {% if server.domain_name is defined and server.domain_name is not none %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} -{% if server['2fa'] is defined and server['2fa'] is not none %} -{% if server['2fa']['totp'] is defined and server['2fa']['totp'] is not none %} -plugin "/usr/lib/openvpn/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop= -{{- server['2fa']['totp']['slop']|default(180) }} totp_t0= -{{- server['2fa']['totp']['drift']|default(0) }} totp_step= -{{- server['2fa']['totp']['step']|default(30) }} totp_digits= -{{- server['2fa']['totp']['digits']|default(6)}} password_is_cr= -{%-if server['2fa']['totp']['challenge']|default('enable') == 'enable' %}1{% else %}0{% endif %}" +{% if server.mfa is defined and server.mfa is not none %} +{% if server.mfa.totp is defined and server.mfa.totp is not none %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" {% endif %} {% endif %} {% endif %} diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 62fac9be0..023f9f55d 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -635,14 +635,14 @@ </properties> <defaultValue>net30</defaultValue> </leafNode> - <node name="2fa"> + <node name="mfa"> <properties> - <help>2-factor authentication</help> + <help>multi-factor authentication</help> </properties> <children> <node name="totp"> <properties> - <help>Time-based One-Time Passwords</help> + <help>Time-based one-time passwords</help> </properties> <children> <leafNode name="slop"> @@ -656,10 +656,11 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>180</defaultValue> </leafNode> <leafNode name="drift"> <properties> - <help>time drift in seconds (default: 0)</help> + <help>Time drift in seconds (default: 0)</help> <valueHelp> <format>1-65535</format> <description>Seconds</description> @@ -668,10 +669,11 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>0</defaultValue> </leafNode> <leafNode name="step"> <properties> - <help>Step value for TOTP in seconds (default: 30)</help> + <help>Step value for totp in seconds (default: 30)</help> <valueHelp> <format>1-65535</format> <description>Seconds</description> @@ -680,10 +682,11 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>30</defaultValue> </leafNode> <leafNode name="digits"> <properties> - <help>Number of digits to use from TOTP hash (default: 6)</help> + <help>Number of digits to use for totp hash (default: 6)</help> <valueHelp> <format>1-65535</format> <description>Seconds</description> @@ -692,25 +695,27 @@ <validator name="numeric" argument="--range 1-65535"/> </constraint> </properties> + <defaultValue>6</defaultValue> </leafNode> <leafNode name="challenge"> <properties> - <help>expect password as result of a challenge response protocol (default: enabled)</help> + <help>Expect password as result of a challenge response protocol (default: enabled)</help> <completionHelp> <list>disable enable</list> </completionHelp> <valueHelp> <format>disable</format> - <description>Disable challenge response (default)</description> + <description>Disable challenge-response</description> </valueHelp> <valueHelp> <format>enable</format> - <description>Enable chalenge response (default)</description> + <description>Enable chalenge-response (default)</description> </valueHelp> <constraint> <regex>^(disable|enable)$</regex> </constraint> </properties> + <defaultValue>enable</defaultValue> </leafNode> </children> </node> diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index 068d5d8fb..7243d69fd 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -63,28 +63,28 @@ </completionHelp> </properties> <children> - <node name="2fa"> + <node name="mfa"> <properties> - <help>Show 2fa information</help> + <help>Show multi-factor authentication information</help> </properties> <children> <leafNode name="secret"> <properties> - <help>Show 2fa authentication secret</help> + <help>Show multi-factor authentication secret</help> </properties> - <command>${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=secret</command> + <command>${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=secret</command> </leafNode> <leafNode name="uri"> <properties> - <help>Show 2fa otpauth uri</help> + <help>Show multi-factor authentication otpauth uri</help> </properties> - <command>${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=uri</command> + <command>${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=uri</command> </leafNode> <leafNode name="qrcode"> <properties> - <help>Show 2fa QR code</help> + <help>Show multi-factor authentication QR code</help> </properties> - <command>${vyos_op_scripts_dir}/show_openvpn_2fa.py --user="$6" --intf="$4" --action=qrcode</command> + <command>${vyos_op_scripts_dir}/show_openvpn_mfa.py --user="$6" --intf="$4" --action=qrcode</command> </leafNode> </children> </node> diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 365d0982e..220c4f157 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -80,6 +80,11 @@ def get_config(config=None): tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' + # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. + tmp_openvpn = conf.get_config_dict(base + [os.environ['VYOS_TAGNODE_VALUE']], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + openvpn = get_interface_dict(conf, base) if 'deleted' not in openvpn: @@ -89,6 +94,14 @@ def get_config(config=None): openvpn['daemon_user'] = user openvpn['daemon_group'] = group + # We have to cleanup the config dict, as default values could enable features + # which are not explicitly enabled on the CLI. Example: server mfa totp + # originate comes with defaults, which will enable the + # totp plugin, even when not set via CLI so we + # need to check this first and drop those keys + if 'totp' not in tmp_openvpn['server']: + del openvpn['server']['mfa']['totp'] + return openvpn def is_ec_private_key(pki, cert_name): @@ -369,8 +382,8 @@ def verify(openvpn): if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet: print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.') - # add 2fa users to the file the 2fa plugin uses - if dict_search('server.2fa.totp', openvpn): + # add mfa users to the file the mfa plugin uses + if dict_search('server.mfa.totp', openvpn): if not Path(otp_file.format(**openvpn)).is_file(): Path(otp_path).mkdir(parents=True, exist_ok=True) Path(otp_file.format(**openvpn)).touch() @@ -590,6 +603,7 @@ def generate_pki_files(openvpn): def generate(openvpn): interface = openvpn['ifname'] directory = os.path.dirname(cfg_file.format(**openvpn)) + plugin_dir = '/usr/lib/openvpn' # we can't know in advance which clients have been removed, # thus all client configs will be removed and re-added on demand diff --git a/src/op_mode/show_openvpn_2fa.py b/src/op_mode/show_openvpn_mfa.py index 8600f755d..1ab54600c 100755 --- a/src/op_mode/show_openvpn_2fa.py +++ b/src/op_mode/show_openvpn_mfa.py @@ -24,7 +24,7 @@ from vyos.util import popen otp_file = '/config/auth/openvpn/{interface}-otp-secrets' -def get_2fa_secret(interface, client): +def get_mfa_secret(interface, client): try: with open(otp_file.format(interface=interface), "r") as f: users = f.readlines() @@ -34,7 +34,7 @@ def get_2fa_secret(interface, client): except: pass -def get_2fa_uri(client, secret): +def get_mfa_uri(client, secret): hostname = socket.gethostname() fqdn = socket.getfqdn() uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}' @@ -42,23 +42,23 @@ def get_2fa_uri(client, secret): return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=') if __name__ == '__main__': - parser = argparse.ArgumentParser(add_help=False, description='Show 2fa information') + parser = argparse.ArgumentParser(add_help=False, description='Show two-factor authentication information') parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface') parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users') parser.add_argument('--action', action="store", type=str, default='show', help='action to perform') args = parser.parse_args() - secret = get_2fa_secret(args.intf, args.user) + secret = get_mfa_secret(args.intf, args.user) if args.action == "secret" and secret: print(secret) if args.action == "uri" and secret: - uri = get_2fa_uri(args.user, secret) + uri = get_mfa_uri(args.user, secret) print(uri) if args.action == "qrcode" and secret: - uri = get_2fa_uri(args.user, secret) + uri = get_mfa_uri(args.user, secret) qrcode,err = popen('qrencode -t ansiutf8', input=uri) print(qrcode) |