-
-
Save selvanair/b31ec6d5873e2ffc141ec680fca69254 to your computer and use it in GitHub Desktop.
OpenVPN test setup for user authentication with challenge response
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Client config for testing auth-user-pass and CR. | |
# As a test, the user/pass/reponse is sent back to the client along | |
# wth the a dynamic challenge question and the connection will succeed if | |
# the response to dynamic-challenge is correct. | |
# Use only for testing. | |
# For reading usser/pass from a file uncomment next line | |
# and create a file named cr-test.txt with 2 lines of some | |
# username and password. Could be anything, but username | |
# should not be empty. | |
# Do not use any secret strings -- these will be returned back | |
# to the client in clear text. May also get logged on the | |
# server. | |
;auth-user-pass "/home/selva/cr-test-up.txt" | |
auth-user-pass | |
auth-retry interact | |
static-challenge "Type some thing (e.g., hello): " 0 | |
reneg-sec 600 | |
;management localhost 37500 | |
;management-hold | |
# management query will take effect if authfile is not specified | |
# and management-query-paswswords is enabled | |
;management-query-passwords | |
nice 3 | |
verb 4 | |
mute 10 | |
;log /tmp/cr-test.log | |
remote myserver 1051 | |
# the rest is standard | |
client | |
dev tun | |
proto udp | |
resolv-retry infinite | |
nobind | |
key-direction 1 | |
explicit-exit-notify 2 | |
ns-cert-type server | |
# These certificates are probably from the samples in OpenVPN | |
# distribution. Use only for testing. | |
<ca> | |
-----BEGIN CERTIFICATE----- | |
MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV | |
BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM | |
T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w | |
HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL | |
MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t | |
VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq | |
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 | |
8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb | |
GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF | |
qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 | |
CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG | |
KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy | |
n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS | |
rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF | |
YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV | |
HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow | |
4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y | |
YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO | |
BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ | |
BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE | |
ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h | |
aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG | |
9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj | |
Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth | |
rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I | |
AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P | |
ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J | |
kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR | |
9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu | |
5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+ | |
65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV | |
y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa | |
hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= | |
-----END CERTIFICATE----- | |
</ca> | |
<cert> | |
-----BEGIN CERTIFICATE----- | |
MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL | |
MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t | |
VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy | |
MjIxNTk1M1oXDTI0MTAxOTIxNTk1M1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT | |
Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50 | |
MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 | |
DQEBAQUAA4IBDwAwggEKAoIBAQDsZY/pEsIaW+ZWKgipgjotRHijADuwn+cnEECT | |
7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLwSNr8FY3Exm0LmfErgwAK0yoj | |
C+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwdVyBxF4/3KJ4+B87s1Q5CTx50 | |
R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rRWNNE/loEAf8Gepf3/eNXSOHw | |
30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhYHJMiC3X6qNbgtS8tudT+uU+G | |
4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83DG9b/WHxAgMBAAGjgcgwgcUw | |
CQYDVR0TBAIwADAdBgNVHQ4EFgQU0rQ2D7H83aXqKvfHI4n64/p6RB0wgZgGA1Ud | |
IwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJBgNVBAYTAktH | |
MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ | |
Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQChTt76 | |
kPKugTANBgkqhkiG9w0BAQsFAAOCAgEAf+D+hKfs32KlzTzB5kKxMRLwudqnnj+9 | |
llK2/FV0ZD7k/36q9z4GGF9zhfjI4GcbTZfKBdA3BzNkm+Z4dxSaVbsqrMN/yRUI | |
g1zIwmHTcUwFCyvLo4dtoDLtsLMnl0pVjQEqMFZoq/LaXBBzyaoKnEtMoFtRbgp+ | |
bFOAsADhHppMCjeeIIm8xeV5WLdF/9PEof3ZeD1FFnTfgkQdHYFQWrkyTOJPPw46 | |
ZVpkgzspMcSZiLzFhDnyGRLhZtDq+3Wx0ie+kVmjKwnVXL9GjtZn1gvs2qvwgBmH | |
ZAepd7FeDOLFHWqsXSPzMHU2TsrDTrBNjCzOUmFj3tX17+8KayMlJjw68sPCFhk/ | |
qTK6aPnJEjw+xh//m070kLBj9dEzADBa6CT6NUSbaoDzpsx7PHNfUMQwcdh0kCcK | |
AU6lXrH42sJhgRGuKaOP+n5MTmKxAN6S449qLtrZOF1rfA3kAarIxm2LzcDIbuRX | |
IYr2RjDZrVGhh5amU8kexrvD61X+jNZc1cbzyrBg0tQqH4iU00wa2gyU/sFdDSrb | |
mSld9t0WxMhNdJ6A2dCq7XvjMORH2PUVwXG4xv3u/J6yX7W3ku3/yjf2x4K0VBOb | |
g82Hi35k9i5UOiKxxcH0pSVTmk2oD+c1S4nfGYNmZNnb0WErJBsdRET7STCHt0kj | |
CAKK4CXz9EM= | |
-----END CERTIFICATE----- | |
</cert> | |
<key> | |
-----BEGIN PRIVATE KEY----- | |
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW | |
KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw | |
SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd | |
VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR | |
WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY | |
HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83 | |
DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT | |
i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB | |
TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X | |
9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE | |
/1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0 | |
6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY | |
kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm | |
VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17 | |
klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ | |
wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR | |
we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y | |
QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP | |
gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz | |
4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI | |
f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW | |
HioRyZtkhonXAB2oSqnekh7zzxgv4sG5k3ct8evdBCcE1FNJc2eqikZ0uDETRoOy | |
s7cRxNNr+QxDkyikM+80HOPU1PMPgwfOSrX90GJQ8QKBgEBKohGMV/sNa4t14Iau | |
qO8aagoqh/68K9GFXljsl3/iCSa964HIEREtW09Qz1w3dotEgp2w8bsDa+OwWrLy | |
0SY7T5jRViM3cDWRlUBLrGGiL0FiwsfqiRiji60y19erJgrgyGVIb1kIgIBRkgFM | |
2MMweASzTmZcri4PA/5C0HYb | |
-----END PRIVATE KEY----- | |
</key> | |
<tls-auth> | |
-----BEGIN OpenVPN Static key V1----- | |
a863b1cbdb911ff4ef3360ce135157e7 | |
241a465f5045f51cf9a92ebc24da34fd | |
5fc48456778c977e374d55a8a7298aef | |
40d0ab0c60b5e09838510526b73473a0 | |
8da46a8c352572dd86d4a871700a915b | |
6aaa58a9dac560db2dfdd7ef15a202e1 | |
fca6913d7ee79c678c5798fbf7bd920c | |
caa7a64720908da7254598b052d07f55 | |
5e31dc5721932cffbdd8965d04107415 | |
46c86823da18b66aab347e4522cc05ff | |
634968889209c96b1024909cd4ce574c | |
f829aa9c17d5df4a66043182ee23635d | |
8cabf5a7ba02345ad94a3aa25a63d55c | |
e13f4ad235a0825e3fe17f9419baff1c | |
e73ad1dd652f1e48c7102fe8ee181e54 | |
10a160ae255f63fd01db1f29e6efcb8e | |
-----END OpenVPN Static key V1----- | |
</tls-auth> | |
<dh> | |
-----BEGIN DH PARAMETERS----- | |
MIIBCAKCAQEArdnA32xujHPlPI+jPffHSoMUZ+b5gRz1H1Lw9//Gugm5TAsRiYrB | |
t2BDSsMKvAjyqN+i5SJv4TOk98kRRKB27iPvyXmiL945VaDQl/UehCySjYlGFUjW | |
9nuo+JwQxeSbw0TLiSYoYJZQ8X1CxPl9mgJl277O4cW1Gc8I/bWa+ipU/4K5wv3h | |
GI8nt+6A0jN3M/KebotMP101G4k0l0qsY4oRMTmP+z3oAP0qU9NZ1jiuMFVzRlNp | |
5FdYF7ctrH+tBF+QmyT4SRKSED4wE4oX6gp420NaBhIEQifIj75wlMDtxQlpkN+x | |
QkjsEbPlaPKHGQ4uupssChVUi8IM2yq5EwIBAg== | |
-----END DH PARAMETERS----- | |
</dh> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# server config for testing auth-user-pass and CR | |
management .cr-test-man unix | |
username-as-common-name | |
management-client-auth | |
nice 3 | |
verb 4 | |
mute 10 | |
log-append cr-test-server.log | |
# the rest is standard | |
server 10.31.43.0 255.255.255.0 | |
dev tun | |
topology subnet | |
proto udp | |
port 1051 | |
persist-tun | |
persist-key | |
keepalive 30 120 | |
key-direction 0 | |
<ca> | |
-----BEGIN CERTIFICATE----- | |
MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV | |
BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM | |
T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w | |
HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL | |
MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t | |
VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq | |
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 | |
8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb | |
GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF | |
qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 | |
CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG | |
KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy | |
n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS | |
rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF | |
YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV | |
HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow | |
4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y | |
YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO | |
BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ | |
BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE | |
ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h | |
aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG | |
9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj | |
Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth | |
rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I | |
AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P | |
ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J | |
kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR | |
9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu | |
5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+ | |
65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV | |
y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa | |
hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= | |
-----END CERTIFICATE----- | |
</ca> | |
<cert> | |
-----BEGIN CERTIFICATE----- | |
MIIFgDCCA2igAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL | |
MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t | |
VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE0MTAy | |
MjIxNTk1MloXDTI0MTAxOTIxNTk1MlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT | |
Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy | |
MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 | |
DQEBAQUAA4IBDwAwggEKAoIBAQCluKLuzrGmD2qyn9MiF3neCZhxePqnzjZRVFfH | |
MZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpRd8U8tuSDbyIGLVvr51nUq0LI | |
1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C552c/jGo9eV+BJ6MOqqc9gUgQ | |
sRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZW7Gw/EnLStJYxiolsJeEw57/ | |
NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3zmYvNHdcpUU7ABmnB9GS5ma5 | |
O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7vPb0EoksxAgMBAAGjggEzMIIB | |
LzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYk | |
T3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSz | |
nYHmFpJkxIaH9SkQG14vdPftsTCBmAYDVR0jBIGQMIGNgBQrQOXJffX0ljjpL+Mv | |
2UBkyY4Fm6FqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRAwDgYDVQQH | |
EwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEW | |
Em1lQG15aG9zdC5teWRvbWFpboIJAKFO3vqQ8q6BMBMGA1UdJQQMMAoGCCsGAQUF | |
BwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEATiWAG8uwQv+7P+gN | |
WMGA28/QkN/KweZB4Uh/px7HNZ+cbXw+gujefq6CFgAzDwIj8Z3+KwYWBVUWidxj | |
rF8aMRN5IaNuYCjo52tUACKht2laFzHOD8Km3aNv3uoZbNLSyzWd3YdRM2jNw5uQ | |
VfGAPVy4CbbhPBOkXUrOpRGe+QjuvuNUHQZMuxtyE+59oEXM/tE7AgPB1OpFLajJ | |
l+fzinqgL91IOnXJQiiU/K9EUhZomNatqGWxzaxgQXDlROha8uf8O/5FiRcdbYXG | |
8Pxph9EdB/PLe1SNqqPM48b81gV2NdAmY47RqLf/YUKKLGMf1OwUR2se44FhEjuM | |
FrXPh2otQiGDnA46kDoewTZhQfn7Tl3q9N8jkjMrmxSfoPXTxPgfL5wRNq8qImGV | |
MgvEHC2xwQoql8BDSmw+2wDNKRWefkF1NqhWhoyCnkYg5QYeYNIDX5+eabu/wrRD | |
4n2FF4MYQbDLqQQbGFKfiYt2n5RZgU9gWzMY/MdS0NJp/AuiYzJ1Q5np1/htx1Ux | |
DPPvGnHhClfhnROyHv4d7+TxUdmVs/0oKJORSinFNw6r2IVq/qiDH3uAXR8Eebep | |
CG4N1i6qfPZjfUHecBMyzt1YzKZz1HJ+16x0qDW6wxsqZNdaN5dWlDQrKnFgvGmr | |
AIW5T2cyF1HD2lc6N4lmxHpR2l8= | |
-----END CERTIFICATE----- | |
</cert> | |
<key> | |
-----BEGIN PRIVATE KEY----- | |
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCluKLuzrGmD2qy | |
n9MiF3neCZhxePqnzjZRVFfHMZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpR | |
d8U8tuSDbyIGLVvr51nUq0LI1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C5 | |
52c/jGo9eV+BJ6MOqqc9gUgQsRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZ | |
W7Gw/EnLStJYxiolsJeEw57/NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3 | |
zmYvNHdcpUU7ABmnB9GS5ma5O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7v | |
Pb0EoksxAgMBAAECggEAPMOMin+jR75TYxeTNObiunVOPh0b2zeTVxLT9KfND7ZZ | |
cBK8pg79SEJRCnhbW5BnvbeNEkIm8PC6ZlDCM1bkRwUStq0fDUqQ95esLzOYq5/S | |
5qW98viblszhU/pYfja/Zi8dI1uf96PT63Zbt0NnGQ9N42+DLDeKhtTGdchZqiQA | |
LeSR0bQanY4tUUtCNYvBT8E3pzhoIsUzVwzIK53oovRpcOX3pMXVYZsmNhXdFFRy | |
YkjMXpj7fGyaAJK0QsC+PsgrKuhXDzDttsG2lI/mq9+7RXB3d/pzhmBVWynVH2lw | |
iQ7ONkSz7akDz/4I4WmxJep+FfQJYgK6rnLAlQqauQKBgQDammSAprnvDvNhSEp8 | |
W+xt7jQnFqaENbGgP0/D/OZMXc4khgexqlKFmSnBCRDmQ6JvLTWqDXC4+aqAbFQz | |
zAIjiKaT+so8xvFRob+rBMJY5JLYKNa+zUUanfORUNYLFJPvFqnrWGaJ9uufdaM7 | |
0a5bu95PN74NXee3DBbpBv8HLwKBgQDCEk+IjNbjMT+Neq0ywUeM5rFrUKi92abe | |
AgsVpjbighRV+6jA2lZFJcize+xYJ9wiOR1/TEI9PZ2OtBkqpwVdvTEHTagRLcvd | |
NfGcptREDnNLoNWA22buQpztiEduutACWQsrd+JQmqbUicUdW4zw86/oCMbYCW3V | |
QmYOLns7nwKBgHHUX20WZE91S4pmqFKlUzHTDdkk1ESX6Qx2q0R01j8BwawHFs6O | |
0DW9EZ7w55nfsh+OPRl1sjK/3ubMgfQO0TZLm+IGf3Sya0qEnVeiPMkpDMX+TgRA | |
wzEe+ou6uho+9uFSvdxMxeglaYA5M2ycvNwLsbEyZ4ZyVYxdgTiKahYFAoGAcIfP | |
iD0qKQiYcj/tB94cz+3AeJqHjbYT1O1YYhBECOkmQ4kuG80+cs/q5W/45lEOiuWV | |
Xgfo7Lu6jVGOujWoneci87oqtvNYH4e09oGh2WiLoBG9Wv9dWtBTUERSLzmxfXsG | |
SAk2uEhEbj8IhfJc8iZLHH9iVUh6YEslBBodqL8CgYEAlAhvcqAvw5SzsfBR5Mcu | |
4Nql6mXEVhHCvS4hdFCGaNF0z9A6eBORKJpdLWnqhpquDQDsghWE+Ga4QKSNFIi1 | |
fnAaykmZuY3ToqNOIaVlYM6HpMEz0wHQbTWfDLGcTFcElLZgMAk7VlDyiYVOco+E | |
QX9lXOO1PGpLzXhlDxSe63Y= | |
-----END PRIVATE KEY----- | |
</key> | |
<tls-auth> | |
-----BEGIN OpenVPN Static key V1----- | |
a863b1cbdb911ff4ef3360ce135157e7 | |
241a465f5045f51cf9a92ebc24da34fd | |
5fc48456778c977e374d55a8a7298aef | |
40d0ab0c60b5e09838510526b73473a0 | |
8da46a8c352572dd86d4a871700a915b | |
6aaa58a9dac560db2dfdd7ef15a202e1 | |
fca6913d7ee79c678c5798fbf7bd920c | |
caa7a64720908da7254598b052d07f55 | |
5e31dc5721932cffbdd8965d04107415 | |
46c86823da18b66aab347e4522cc05ff | |
634968889209c96b1024909cd4ce574c | |
f829aa9c17d5df4a66043182ee23635d | |
8cabf5a7ba02345ad94a3aa25a63d55c | |
e13f4ad235a0825e3fe17f9419baff1c | |
e73ad1dd652f1e48c7102fe8ee181e54 | |
10a160ae255f63fd01db1f29e6efcb8e | |
-----END OpenVPN Static key V1----- | |
</tls-auth> | |
<dh> | |
-----BEGIN DH PARAMETERS----- | |
MIIBCAKCAQEArdnA32xujHPlPI+jPffHSoMUZ+b5gRz1H1Lw9//Gugm5TAsRiYrB | |
t2BDSsMKvAjyqN+i5SJv4TOk98kRRKB27iPvyXmiL945VaDQl/UehCySjYlGFUjW | |
9nuo+JwQxeSbw0TLiSYoYJZQ8X1CxPl9mgJl277O4cW1Gc8I/bWa+ipU/4K5wv3h | |
GI8nt+6A0jN3M/KebotMP101G4k0l0qsY4oRMTmP+z3oAP0qU9NZ1jiuMFVzRlNp | |
5FdYF7ctrH+tBF+QmyT4SRKSED4wE4oX6gp420NaBhIEQifIj75wlMDtxQlpkN+x | |
QkjsEbPlaPKHGQ4uupssChVUi8IM2yq5EwIBAg== | |
-----END DH PARAMETERS----- | |
</dh> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# | |
# cr-verify: A test script to do OpenVPN client authentication | |
# through the management interface | |
# This should be started from the same directory as the server | |
# (or edit the path of unix socket) and left running along with | |
# the server for management-client-auth. | |
# This is only a testing script, not robust enough for real use. | |
# | |
# (c) 2015-2016 Selva Nair <selva.nairATgmail.com> | |
# | |
import socket | |
import sys | |
import time | |
import base64 | |
import random | |
#debug = True | |
debug = False | |
CONNECT = 1 | |
REAUTH = 2 | |
global_qna = [] | |
global_qna.append(['1+1 = ', '2']) | |
global_qna.append(['pi to 2 decimal places = ', '3.14']) | |
global_qna.append(['10-7 = ', '3']) | |
global_qna.append(['1-2 = ', '-1']) | |
class Verify(object): | |
"""OpenVPN client-auth via the management interface""" | |
def __init__(self, path): | |
"""Initializes the unix socket for communicating with the server.""" | |
self.set_defaults() | |
self.path = path; | |
self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) | |
def set_defaults(self): | |
self.new_client = 0 | |
self.user = '' | |
self.saved_user = '' | |
self.passwd = '' | |
self.ckid = ("-1","-1") | |
def connect(self): | |
# Connect to the management interface. Waits if the server is not up | |
print 'trying to connect to %s ...' % self.path | |
connected = False | |
while not connected: | |
try: | |
self.sock.connect(self.path) | |
connected = True | |
# use file interface for reading line by line | |
self.sfd = self.sock.makefile('r+') | |
print 'connected' | |
except Exception as e: | |
if debug: print(e) | |
time.sleep(1) | |
def run(self): | |
# Parse messages from server and process when a new client connects | |
while True: | |
self.connect() | |
while True: | |
try: | |
line = self.sfd.readline() | |
except Exception as e: | |
if debug: print(e) | |
break | |
if not line: break | |
line = line.rstrip() | |
if debug: print 'got: %s' % line | |
if not line.startswith(">CLIENT:"): continue | |
line = line[8:] | |
if not line: continue | |
words = line.split(',') | |
if debug: print 'split into: %s' % ' '.join(words) | |
if words[0] == 'CONNECT' and len(words) == 3: | |
self.ckid = words[1:] | |
print 'New client %s %s' % (words[1], words[2]) | |
self.new_client = CONNECT | |
self.user = '' | |
self.passwd = '' | |
elif words[0] == 'REAUTH' and len(words) == 3: | |
self.ckid = words[1:] | |
print 'New client (reauth) %s %s' % (words[1], words[2]) | |
self.new_client = REAUTH | |
self.user = '' | |
self.passwd = '' | |
elif line.startswith('ENV,END') and self.new_client: | |
print 'processing new client' | |
self.process_client() | |
elif not self.new_client or not words[0] == 'ENV' or len(words) < 2: | |
continue | |
if words[1].startswith('username='): | |
self.user = words[1][9:] | |
if debug: print 'got user = %s' % self.user | |
elif words[1].startswith('password='): | |
self.passwd = words[1][9:] | |
if debug: print 'got pass = %s' % self.passwd | |
fclose(self.sfd) | |
self.sock.close() | |
def process_client(self): | |
# Verify dynamic challenge response or prompt a new challenge | |
reason = 'Password/response is in invalid format' | |
j = random.randrange(0, len(global_qna)) | |
qna = global_qna[j] | |
msg = '' | |
if debug: print 'Password received from mgmt: %s' % self.passwd | |
# Reauth happens during renegotiation. If the client is running with | |
# cached credentials renegotiation will fail if full user | |
# authentication is performed. Here we just pass the client with no | |
# checks in case of reauth. | |
if self.new_client == REAUTH: | |
msg = 'client-auth-nt ' + ' '.join(self.ckid) | |
print 'client reauth: allowing without checks' | |
elif not self.user: | |
reason = 'Empty username' | |
# We test static-challenge and dynamic challenge exchanges using one | |
# client setup. If a static challenge-response is received we send the | |
# response back to the client as a part of the dynamic challenge message | |
# so that the client can check that the response was correctly decoded | |
# by the server. We also send the user name and password back. | |
# Further, a dynamic challenge is generated and the client is challenged | |
# for an answer. | |
elif self.passwd.startswith ('SCRV1:') and self.passwd[6:]: | |
pr64 = self.passwd[6:].split(':') | |
p = '' | |
r = '' | |
if pr64[0]: | |
p = base64.b64decode(pr64[0]) | |
if len(pr64) == 2 and pr64[1]: | |
r = base64.b64decode(pr64[1]) | |
if not p or not r: | |
reason = 'Invalid format' | |
else: | |
# deny with reason = | |
# "CRV1:R,E:state:some-data:Welcome user... dynamic challenege" | |
# hide the answer and user in the state_id for verification | |
# without needing a database | |
state = qna[1] + '|' + self.user | |
reason = ('CRV1:R,E:' + state + ':' | |
+ base64.b64encode(self.user) + ':' | |
+ 'Welcome ' + self.user | |
+ ' (passwd/response = ' + p + '/' + r + '), ' | |
+ 'please answer this: ' + qna[0]) | |
elif self.passwd.startswith('CRV1::') and self.passwd[6:]: | |
# Response to dynamic challenge received. | |
# Expect CRV1::state_id::answer | |
# The correct answer is embedded in the state_id of the challenge | |
# so we just check that it matches response. | |
p = self.passwd[6:].split(':') | |
if len(p) == 3: | |
state_id, unused, recvd = p | |
p = state_id.split('|') | |
if len(p) == 2: | |
expected_ans, expected_user = p | |
else: | |
expected_ans, expected_user, recvd = ('','','') | |
if debug: | |
print ('expected answer, expected username = %s %s' | |
% (expected_ans, expected_user)) | |
if unused or not recvd or not expected_ans or not expected_user: | |
reason = 'Dynamic respose in invalid format' | |
elif recvd != expected_ans: | |
reason = 'Wrong response to dynamic response' | |
elif self.user != expected_user: | |
reason = 'Wrong username with dynamic response' | |
else: | |
msg = 'client-auth-nt ' + ' '.join(self.ckid) | |
# If the client uses simple user-auth permit if username == password !! | |
elif self.user == self.passwd: | |
msg = 'client-auth-nt ' + ' '.join(self.ckid) | |
print 'simple user-auth in use: permit if user == password' | |
if not msg: | |
msg = ('client-deny ' | |
+ ' '.join(self.ckid) | |
+ ' reason "' + reason + '"') | |
try: | |
self.sfd.write(msg + '\r\n') | |
self.sfd.flush(); | |
except Exception as e: | |
if debug: print(e) | |
return | |
print 'replied: %s' % msg | |
self.set_defaults() | |
if __name__ == '__main__': | |
v = Verify ('.cr-test-man') | |
v.run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment