This article proved to be a decent starting point, but I was particularly interested in allowing password-based logins to OpenVPN using a username/password backed by FreeIPA (opposed to client certificates) as the identity provider.
- IPA join your VPN machine:
ipa-client-install --mkhomedir - Get a kerberos ticket:
kinit - Create a Kerberos service principle and HBAC rule for openvpn access:
ipa service-add openvpn/`hostname`
- Create new hbacrule in console, mark host as the VPN host, and whatever group you want to restrict access to:
rechner@production:~$ ipa hbacrule-show allow_openvpn
Rule name: allow_openvpn
Description: Allowed access to VPN access on vpn.example.net
Enabled: TRUE
User Groups: vpn, admins
Hosts: vpn.example.net
Services: openvpn
- Make this script + make executable in
/usr/local/sbin/set-ssl-permissions:
#!/bin/bash
chmod 400 /etc/openvpn/server_freeipa.crt
chmod 400 /etc/openvpn/server_freeipa.key
- Request a server certificate from IPA CA:
sudo ipa-getcert request -K openvpn/`hostname` -k /etc/openvpn/server_freeipa.key -f /etc/openvpn/server_freeipa.crt -I openvpn -C /usr/local/sbin/set-ssl-permissions
- Check that worked with
sudo ipa-getcert list. - Create PAM configuration,
/etc/pam.d/openvpn:
@include common-auth
@include common-account
@include common-session
- Configure
/etc/openvpn/server.confapropriately. Here's the key configuration values:
ca /etc/ipa/ca.crt
cert server_freeipa.crt
key server_freeipa.key
client-cert-not-required
username-as-common-name
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
- Restart OpenVPN and test. For more verbose logging or troubleshooting, set
verb 7inserver.conf