OpenVPN, FreeIPA and One Time Passwords

on February 22nd, 2017 by Hades | No Comments »

Having a comprehensive identity management solution is great but the real power comes when we integrate with other tools. Providing a safe channel for remote workers to access the company network is a particular challenge. Maintaining VPN certificates, users and passwords is a critical task that is in most organisations usually handle manually. This section is intended to highlight the relative ease to set up an Enterprise grade solution using FreeIPA and OpenVPN.

Server Keys and Certificates

FreeIPA includes a certificate authority which we can use to generate SSL/TLS certificates on the fly. When a host is included into the Kerberos realm a trust relationship is formed and the host is then able to request its own certificates via the service bus. Our VPN concentrator is already enrolled into FreeIPA so the command

will generate the required keys which can then be used by OpenVPN. This process can be efficiently automated so the process of rotating keys becomes somewhat easy.

Client Keys and Certificates

If we do not wish to add a machine to the Realm fully, perhaps it is a personal laptop or is using an operating system incompatible with the enrolment process we will need to create an entry for our VPN client in the FreeIPA database so we can issue a certificate for it. After we create a Kerberos service principle for the client we then tell FreeIPA that we would like our VPN concentrator to be responsible for administering this principle.

Add host:

Add VPN host to freeipa

Add service:

Add service host:

We can now create client certificates for this client on the VPN concentrator machine.

Along with the CA cert and the Diffie Hellman parameters the key and certificate can now be transferred to the client and used with any OpenVPN client such as TunnelBlick or Viscosity. OpenVPN does support Certificate Revocation Lists (CRL) but only from the local filesystem so a process would have to be put in place to generate this file.


We can use the common system-auth configuration so we make a symlink to the default location for OpenVPN pam plugin configuration.

Using the Freeipa command line interface we can inspect the user that we want to connect via the VPN. We can see that it is enabled for OTP. Using a Cyanogenmod android phone with FreeOTP installed we snapped the QR code produced by FreeIPA and were immediately able to use it for authentication.

Annoyingly we were blocked by the OS from taking an actual screenshot of FreeOTP

Using a completely standard client OpenVPN configuration with only one addition “auth-user-pass” to prompt for a password we are able to use OpenVPN to log into a network using password+OTP.