[Freeipa-users] Openvpn and Certificates
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 2 04:30:39 UTC 2015
On Wed, 01 Apr 2015, Andrew Holway wrote:
>On 1 April 2015 at 20:02, Nalin Dahyabhai <nalin at redhat.com> wrote:
>
>> On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
>> > I understand from previous discussions that client certificates are not
>> yet
>> > supported in FreeIPA, instead I understand one can use "service
>> > certificates". From an OpenVPN standpoint I'm guessing this is fine
>> because
>> > a vpn client can be entered in Freeipa as a client and a certificate
>> > generated for it. This might actually be a preferred model for VPN.
>> >
>> > My OVPN server config looks like this:
>> > ca ca.crt
>> > cert server.crt
>> > key server.key
>> > # Diffie hellman parameters.
>> > dh dh2048.pem
>> >
>> > I guess I can use the
>> > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
>> > command to generate the server.crt and private.key and I know where to
>> find
>> > ca.crt however:
>>
>> Unless there are other requirements on the contents of the certificate,
>> I'd expect that to work.
>>
>
>ipa service-add-host --hosts ipa.domain.de client/
>andrews-macbook-air.local.domain.de
>
>ipa-getcert request -f
>/var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k
>/var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN=
>andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de
>-K client/andrews-macbook-air.local.domain.de at DOMAIN.DE
>
>-- Then shuffle the keys and certs around --
>
>-- Restart OpenVPN --
>
>And et voila! It works! Although it does feel a bit hacky :)
I do it the same way as I control my systems and can be sure there is
one user per system for VPN access. Works nicely.
The only issue if you want some systems authenticate with certificates
only and others with user/password+OTP. Unfortunately, this combination
does not work with OpenVPN as all authentication methods must succeed.
There is an option --auth-user-pass-optional that allows core OpenVPN to
work without the requirement of passwords but then plugins/scripts must
account for it and openvpn-plugin-auth-pam is not aware of that, it
seems.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list