Openvpn
Jump to navigation
Jump to search
A few useful commands:
cd /usr/local/openvpn_as/scripts
sudo ./confdba -us -p joe #display info about a user
{
"joe": {
"access_to.0": "+NAT:10.0.0.0/8",
"pvt_google_auth_secret": "Z********B", #this is GoogleAuth MFA secret_token that a user scans as QR code
"pvt_google_auth_secret_locked": "false",
"pvt_password_digest": "30******bb71",
"type": "user_compile"
}
}
sudo ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p joe #unlock locked out user
#Disable/enable Google Authenticator for a specific user or group:
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut #disable
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "true" UserPropPut #enable
#Undo an enable/disable override for Google Authenticator on a group or user, so that it inherits the setting instead
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" UserPropDel
#To unlock an already scanned and locked secret for a user, so the user can obtain/scan it again
./sacli --user <USER> --lock 0 GoogleAuthLock
#To manually lock a secret key, for example when you as administrator have already set up the user’s device yourself
./sacli --user <USER> --lock 1 GoogleAuthLock
#To generate a new secret key and lock or leave it unlocked
./sacli --user <USER> --lock 0 GoogleAuthRegen #unlocked, user can scan
./sacli -u joe GoogleAuthRegen #regenerate Google token, so a user can scan QR code again
['Z*********B', 'otpauth://totp/OpenVPN:joe@ivpn.acme.com?secret=Z*******B&issuer=OpenVPN']
#./sacli
#-u, --user
The GoogleAuthLock and GoogleAuthRegen functions that actually handle these two keys, which can also be edited manually
./sacli --user <USER> --key "pvt_google_auth_secret" --value <GOOGLE_AUTH_SECRET> UserPropPut ./sacli --user <USER> --key "pvt_google_auth_secret_locked" --value <SCANNED/LOCKED> UserPropPut
Logs
#Logs tail -f /var/log/openvpnas.log