openvpn_gsuite_auth

command module
v0.0.11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 22, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

README

openvpn_gsuite_auth

An openvpn plugin to support authorization against GSuite and authentication against a dynamodb instance

Installation

copy gsuite_auth_config.yaml-example to gsuite_auth_config.yaml and configure

Configuration

Required configuration (password authentication)

The base configuration will allow verification against a bcrypted hash of a password stored in dynamoDB:

aws_access_key: an AWS access key with access to dynamodb_table below
aws_secret_key: an AWS secret key with access to dynamodb_table below
aws_region: the AWS region your dynamoDB table lives in
dynamodb_table: your dynamoDB password table, as defined below
GSuite authorization

Setting gsuite_credentials will trigger a check against Gsuite

gsuite_credentials: the credentials file as generated in the Gsuite credentials section below
gsuite_token: the token file as generated in the Gsuite credentials section below
optional:
gsuite_org_unit: a Gsuite org unit allowed to connect to this endpoint
MAC address verification

Setting dynamodb_mac_table will trigger a check of the MAC address

dynamodb_mac_table: your dynamoDB MAC address table, as defined below
TOTP authentication

Setting dynamodb_totp_table will trigger a check of the TOTP code

dynamodb_totp_table: Your dynamoDB TOTP address table, as defined below
totp_secret: the decryption key for decrypting entries from the table above

Gsuite credentials

generate credentials and token files by following the instructions at:

https://developers.google.com/admin-sdk/directory/v1/quickstart/python

Once you've run the quickstart project, copy the (credentials/token).json files into /etc/openvpn

NOTE: I wasn't able to generate a token with the go example but was able to with python

dynamodb setup

password table

create a dynamodb table with the attributes:

UserId - the user's full email address
Password - the user's bcrypt hashed password
MAC address table

create a dynamodb table with the attributes:

UserId - the user's full email address
MACS - a list of MAC addresses, RE: {"00:00:00:e0:00:0b"}
TOTP password table

create a dynamodb table with the attributes:

UserId - the user's full email address
Password - encrypted (AES+CBC+Pbkdf2) password used to generate and verify TOTP

dynamodb access

Create a user with read permissions to dynamodb_table and populate the aws_access/secret_keys in gsuite_auth_config.yaml with the keys for that user.

Plugin setup

copy the latest release of gsuite_auth to /usr/local/sbin

configure and copy gsuite_auth_config.yaml to /etc/openvpn/

configure your server by adding the lines:

script-security 3
auth-user-pass-verify /usr/local/sbin/gsuite_auth via-env

VPNAuth - management interface

VPNAuth is a basic interface designed to allow self-service of passwords and TOTP credentials. It uses google authorization as it's access method. It's available as a docker container. See the vpnauth folder for more information.

qrcreator

I was originally going to use the python pyotp library to generate the QR code, but it was not working in conjunction with golang so I fell back to writing a basic CLI with the same golang library I used for gsuite_auth to handle the OTP generation.

qrcreator --filename [output file] --secretkey [secret used for TOTP generation] --username [userID from TOTP DB]

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.