Re: [Openvpn-users] OpenVPN with Google MFA

2020-01-21 Thread Bogdan Rudas via Openvpn-users 
Hello Peter!

I don't see any docs but probably can give you a directions:

1. Build OpenVPN with PAM auth support
2. Configure PAM with Google 2FA  support - there are some libraries for
that on Github.

On Thu, Jan 16, 2020 at 8:56 PM Peter Fraser 
wrote:

> Hi All
>
> I have been searching for a good document that shows how to set up OpenVPN
> with Google MFA. I use the community edition, everything command line. I
> have version 2.4.8 on FreeBSD. Can anyone point me to where I could find
> such a document. Does OpenVPN have any official docs that show how? Not
> OpenVPN Access, just the Community Edition.
>
>
>
>
>
> Best Regards,
>
> SI
>
>
>
> Sent from Mail  for
> Windows 10
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


-- 
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Any way to use MFA with push token?

2020-12-30 Thread Bogdan Rudas via Openvpn-users 
Hello!

Are there any way to connect MFA solution with push tokens - i.e. OpenVPN
server must wait while the end user is unlocking their phone and push some
button in the MFA application?
While ago I found that the older OpenVPN version was very sensitive to
authentication scripts runtime and network activity was blocked while
scripts were working (or hanging).
Is asynchronous authentication possible with a PAM module or custom
scripts?

Thank you.


-- 
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Flock of openvpn Servers: how to make one machine stop accepting NEW clients?

2021-02-10 Thread Bogdan Rudas via Openvpn-users 
Hi!

Why don't you want to put a load balancer in front of your cluster? I
believe you can even run all openvpn instnces on same server (or a pair of,
just for redundancy). Nginx can balance openvpn clients just fine and limit
amount of backend connections, haproxy can work if you don't need UDP
traffic, LVS does not works as expected with UDP balancing. Keepalved can
serve you with IP failover.

On Fri, Jan 8, 2021 at 2:00 PM Ralf Hildebrandt 
wrote:

> We have a flock of openvpn Servers. We're using DNS round robin (
> openvpn.charite.de).
>
> Currentlym we have
> 421 clients on machine 0
> 465 clients on machine 1
> 598 clients on machine 2
> 246 clients on machine 3
>
> How can I change my auth-user-pass-verify / client-connect or
> learn-address scripts to prevent MORE clients on machine 2?
>
> I could return AUTH_FAILED, but that would irritate the users, since
> their clients would ask for a (new) password.
>
> --
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
>
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
>
> Tel. +49 30 450 570 155
> ralf.hildebra...@charite.de
> https://www.charite.de
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


-- 
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How to send 2nd factor to server ?

2021-04-20 Thread Bogdan Rudas via Openvpn-users 
Hello!

I've read a couple of guidelines regarding MFA with OpenVPN and all of them
mention that the 2nd factor could be either sent as password (with client
cert auth) or appended to the password string. Well, people tend to enter a
password when they see the password field.
At the moment the only straightforward and more or less human-friendly way
to set up login+password+2fa authentication is to use a kind of 'push
token' MFA (so the user confirms login in some mobile application).
OTP, password cards and any other way that demands text input from the user
demands to much from the users, they need blindly enter the password, then
type 2nd factor, can't see what they type and don't even know if
authentication failed because of wrong password or wrong OTP numbers (for
example).
Is it possible to ask the user for the 2nd factor like OpenVPN client asks
for login and password and send discrete error messages for password and
for 2nd factor failures?

Thank you.
-- 
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: Creating a Custom OpenVPN android APK with network configuration already in place

2021-04-16 Thread Bogdan Rudas via Openvpn-users 
Hi!

It would be really great to ship configs alongside the installer. The Play
market is not really a 'trusted' source when enterprise MDM is in action.

Thank you.

On Fri, Apr 16, 2021 at 3:56 PM Enno Gröper  wrote:

> Hi,
>
> Am 16.04.21 um 14:42 schrieb Gert Doering:
> > Putting .ovpn configs on a webserver for download, and then klicking
> > on "import config" in the Android app is not really hard, even for
> > unskilled users...
>
> Especially, when compared to installing an apk from an untrusted source
> an not the Play store.
>
> Kind regards,
> Enno
>
> --
> Enno Gröper
> Charité – Universitätsmedizin Berlin
> Geschäftsbereich IT | Netz
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


-- 
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Expected transfer speed LAN-LAN using OpenVPN?

2022-02-28 Thread Bogdan Rudas via Openvpn-users 
Hi!

You can hit wire speed if your chosen crypto works fast enough on your CPU.
Make sure that every component in the software stack lets you use your CPU
hardware encryption acceleration. I use iperf and wireshark for network
troubleshooting as it can let you narrow down to the bottleneck instead of
single-value benchmarks. For fast and dirty tests I use SCP of large files
with random data and ping in "flood" mode with minimum packet size.
Please note that OpenVPN is largely user space application and handing
billions of packets back and forth to the kernel always has it's price, not
just in cpu load, but in scalability, latency and packet loss. And also
there are not so many folks around with site-to-site experience on Gigabit
speed I suppose. IPsec is de-facto standard for such connections (sometimes
under vendor's marketing name).

Thank you.

On Sun, Jan 30, 2022 at 7:41 PM Bo Berglund  wrote:

> I have two LAN sections on different locations with IP 192.168.119.0/24
> and
> 192.168.117.0/24 respectively.
> The two sites will be connected using OpenVPN with 119 being the sever
> side and
> 117 the client. Routing between them will be configured.
>
> On the client side the VPN connection will be done through the LAN router
> (an
> ASUS RT-AC68U) towards the server side Linux OpenVPN server.
> Thus all LAN clients on the client side (117) will have access to the whole
> server side (119) LAN.
>
> And the reverse is also true thanks to settings in the Linux Server where
> the
> remote client via a ccd directive will cause a route to be set up (see
> previous
> thread "LAN-LAN connection via ASUS Router OpenVPN?" on this list).
>
> So the two LAN sections will be fully interconnected.
> Both sides are set up to route Internet trafic through their respective
> local
> gateways to get full fiber speed to the Internet.
>
> I have run a device test for the connectivity using two Internet
> connections at
> home and this works out well. But I cannot test speed here because of the
> connection limitations.
>
> Now I am wondering in preparation for deploying the routing system:
>
> Given that both sites will have 250/250 Mbps fiber connections, what will
> be the
> expected throughput between the two LAN:s for internal LAN-LAN data
> transfers?
>
> The Ookla Speedtest measured Internet access speed on the server side via
> its
> ASUS RT-AC86U router conforms to the subscribed speed (250/250).
>
> PS:
> What is the best way to test a LAN-LAN transfer speed?
> There are no speed test servers available locally
> Timing of big file transfers maybe?
>
>
> --
> Bo Berglund
> Developer in Sweden
>
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


-- 
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Need working way to authenticate in RADIUS.

2022-12-09 Thread Bogdan Rudas via Openvpn-users 
Hello!

I'm looking for some way to configure *asynchronous* RADIUS authentication
to properly handle RADIUS server unavailability and probably
challenge-response MFA which demands humans-backed confirmation via RADIUS.
As RADIUS support is not a part of OpenVPN and there are a lot of outdated
repos on the web, please recommend a working solution if there is one.

Links already checked:

   - https://community.openvpn.net/openvpn/ticket/585
   - https://community.openvpn.net/openvpn/wiki/PluginOverview

Thank you.




-- 
Bogdan Rudas
Director of IT
Exadel Inc.
http://www.exadel.com/
E-mail: bru...@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Need working way to authenticate in RADIUS.

2022-12-14 Thread Bogdan Rudas via Openvpn-users 
Hello Gert!

We mind RADIUS for MFA and password checks. Having RADIUS just checking
password+OTP via external MFA works, however any time spent in RADIUS
communication for one client session means the traffic to other clients is
stuck, that is why I was asking 'what plugin is good'. I wonder if the PAM
plugin is really asynchronous by default. Besides OTP, there are MFA mobile
applications that require users to press a button on their smartphone for
confirmation. In such cases RADIUS will reply when a user pressed the
button and thus the entire OpenVPN instance will be stuck for an even
longer time.
At the moment we are evaluating 'some plugin' with 'that patches' and
'certain build options' to handle RADIUS communication in asynchronous way
and will share positive outcomes if any.

Thank you.

-- 


CONFIDENTIALITY
NOTICE: This email and files attached to it are 
confidential. If you
are not the intended recipient you are hereby notified 
that using,
copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have
received 
this email in error please notify the sender and delete this
email.
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users