Difference between revisions of "Openvpn"

From Ever changing code
Jump to navigation Jump to search
Line 48: Line 48:
tail -f /var/log/openvpnas.log
tail -f /var/log/openvpnas.log
</source>
</source>
When new MFA/Google secret has been generated user need to login to Access Server, scann QR code, then download the Connection Client that the bundle contains the new user settings; this will enable VPN login.


= Resources =
= Resources =
*[https://openvpn.net/vpn-server-resources/additional-security-command-line-options/ Additional security command line options] Openvpn.net
*[https://openvpn.net/vpn-server-resources/additional-security-command-line-options/ Additional security command line options] Openvpn.net

Revision as of 17:28, 13 May 2019

A few useful commands: 

cd /usr/local/openvpn_as/scripts
sudo ./confdba -us -p joe #display info about a user
{
  "joe": {
    "access_to.0": "+NAT:10.0.0.0/8",
    "pvt_google_auth_secret": "Z********B",     #this is GoogleAuth MFA secret_token that a user scans as QR code
    "pvt_google_auth_secret_locked": "false",
    "pvt_password_digest": "30******bb71",
    "type": "user_compile"
  }
}

sudo ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p joe #unlock locked out user

#Disable/enable Google Authenticator for a specific user or group:
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut #disable
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "true" UserPropPut  #enable

#Undo an enable/disable override for Google Authenticator on a group or user, so that it inherits the setting instead
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" UserPropDel

#To unlock an already scanned and locked secret for a user, so the user can obtain/scan it again
./sacli --user <USER> --lock 0 GoogleAuthLock

#To manually lock a secret key, for example when you as administrator have already set up the user’s device yourself
./sacli --user <USER> --lock 1 GoogleAuthLock

#To generate a new secret key and lock or leave it unlocked
./sacli --user <USER> --lock 0 GoogleAuthRegen #unlocked, user can scan
./sacli -u     joe             GoogleAuthRegen #regenerate Google token, so a user can scan QR code again
['Z*********B', 'otpauth://totp/OpenVPN:joe@ivpn.acme.com?secret=Z*******B&issuer=OpenVPN']

#./sacli 
#-u, --user

The GoogleAuthLock and GoogleAuthRegen functions that actually handle these two keys, which can also be edited manually 

./sacli --user <USER> --key "pvt_google_auth_secret"        --value <GOOGLE_AUTH_SECRET> UserPropPut
./sacli --user <USER> --key "pvt_google_auth_secret_locked" --value <SCANNED/LOCKED>     UserPropPut

Logs 

#Logs
tail -f /var/log/openvpnas.log

When new MFA/Google secret has been generated user need to login to Access Server, scann QR code, then download the Connection Client that the bundle contains the new user settings; this will enable VPN login.

Resources

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Openvpn&oldid=4010