OpenVPN, FreeIPA and One Time Passwords

on February 22nd, 2017 by Hades | No Comments »

Having a comprehensive identity management solution is great but the real power comes when we integrate with other tools. Providing a safe channel for remote workers to access the company network is a particular challenge. Maintaining VPN certificates, users and passwords is a critical task that is in most organisations usually handle manually. This section is intended to highlight the relative ease to set up an Enterprise grade solution using FreeIPA and OpenVPN.

Server Keys and Certificates

FreeIPA includes a certificate authority which we can use to generate SSL/TLS certificates on the fly. When a host is included into the Kerberos realm a trust relationship is formed and the host is then able to request its own certificates via the service bus. Our VPN concentrator is already enrolled into FreeIPA so the command

[root@ipa ~]# ipa-getcert request -f /var/lib/certmonger/requests/server.crt -k /var/lib/certmonger/requests/server.key -r
New signing request "20170222122747" added.

will generate the required keys which can then be used by OpenVPN. This process can be efficiently automated so the process of rotating keys becomes somewhat easy.

Client Keys and Certificates

If we do not wish to add a machine to the Realm fully, perhaps it is a personal laptop or is using an operating system incompatible with the enrolment process we will need to create an entry for our VPN client in the FreeIPA database so we can issue a certificate for it. After we create a Kerberos service principle for the client we then tell FreeIPA that we would like our VPN concentrator to be responsible for administering this principle.

Add host:

[root@ipa ~]# kinit admin
[root@ipa ~]# ipa host-add --force hades.MacBook-Pro.local
Added host "hades.macbook-pro.local"
  Host name: hades.macbook-pro.local
  Principal name: host/[email protected]
  Principal alias: host/[email protected]
  Password: False
  Keytab: False
  Managed by: hades.macbook-pro.local

Add VPN host to freeipa

[root@ipavpn ~]# ipa-client-install --principal=admin --password=admin_password_ipa --mkhomedir
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname:
DNS Domain:
IPA Server:,
BaseDN: dc=test,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TEST.COM
    Issuer:      CN=Certificate Authority,O=TEST.COM
    Valid From:  Thu Feb 16 16:26:28 2017 UTC
    Valid Until: Mon Feb 16 16:26:28 2037 UTC

Enrolled in IPA realm TEST.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.COM
Forwarding 'schema' to json server ''
Forwarding 'ping' to json server ''
Forwarding 'ca_is_enabled' to json server ''
Systemwide CA database updated.
Hostname ( does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host
Missing reverse record(s) for address(es):
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Forwarding 'host_mod' to json server ''
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring as NIS domain.
Client configuration complete.

Add service:

[root@ipa ~]# ipa service-add --force client/hades.MacBook-Pro.local
Added service "client/[email protected]"
  Principal name: client/[email protected]
  Principal alias: client/[email protected]
  Managed by: hades.macbook-pro.local

Add service host:

[root@ipa ~]# ipa service-add-host --hosts client/hades.MacBook-Pro.local
  Principal name: client/[email protected]
  Principal alias: client/[email protected]
  Managed by: hades.macbook-pro.local,
Number of members added 1

We can now create client certificates for this client on the VPN concentrator machine.

[root@ipavpn ~]# kinit admin
Password for [email protected]: 
[root@ipavpn ~]# ipa-getcert request -f /var/lib/certmonger/requests/hades.MacBook-Pro.local.crt -k /var/lib/certmonger/requests/hades.MacBook-Pro.local.key -N CN=hades.MacBook-Pro.local -D hades.MacBook-Pro.local -K client/hades.MacBook-Pro.local
New signing request "20170222131252" added.

Along with the CA cert and the Diffie Hellman parameters the key and certificate can now be transferred to the client and used with any OpenVPN client such as TunnelBlick or Viscosity. OpenVPN does support Certificate Revocation Lists (CRL) but only from the local filesystem so a process would have to be put in place to generate this file.

[root@ipavpn ~]# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/ "openvpn login USERNAME password PASSWORD"


We can use the common system-auth configuration so we make a symlink to the default location for OpenVPN pam plugin configuration.

ln -s /etc/pam.d/system-auth /etc/pam.d/openvpn

Using the Freeipa command line interface we can inspect the user that we want to connect via the VPN. We can see that it is enabled for OTP. Using a Cyanogenmod android phone with FreeOTP installed we snapped the QR code produced by FreeIPA and were immediately able to use it for authentication.

Annoyingly we were blocked by the OS from taking an actual screenshot of FreeOTP

[root@ipa ~]# ipa user-show Dmitriy.Korniychuk
User login: dmitriy.korniychuk
First name: Dmitriy
Last name: Korniychuk
Home directory: /home/dmitriy.korniychuk
Login shell: /bin/sh
Email address: [email protected]
UID: 1014100000
GID: 1014100000
Account disabled: False
User authentication types: otp
Password: True
Member of groups: ipausers
Kerberos keys available: True

Using a completely standard client OpenVPN configuration with only one addition “auth-user-pass” to prompt for a password we are able to use OpenVPN to log into a network using password+OTP.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.