Skip to content

adcreare/openvpn-dynamodb-authenticator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
bin
bin
 
 
lib
lib
 
 
pkg
pkg
 
 
Gemfile
Gemfile
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
openvpn-dynamodb-authenticator.gemspec
openvpn-dynamodb-authenticator.gemspec
 
 

Repository files navigation

openvpn-dynamodb-authenticator

This tool provides a Openvpn authenticator using dynamodb.

It is designed for deployments where both PKI certificates and username and password are required to obtain a vpn connction.

This module allows openvpn to authenticate from this module instead of using /etc/shadow for a local user.

To support migration the password format in dynamoodb is in shadow format.

To obtian this module see the releases page, download the gem and install using 'gem install openvpn-dynamodb-authenticator.gem'

Setup

DynamoDB table configuration

  1. Application expects table name to be: openvpn-access (note: it is planned to make this a configuration in future)

  2. Table to contain 2 columns with the following required names:

    • Column Name: Username - Primary partition key - Key Type:Hash
    • Column Name: Password - Attribute Type:String

  3. Items inside the table look like the below in JSON format:

{
  "Username": "username",
  "Password": "$6$phGQY812$vQq.acb67blSJ4nAUou1mSLRsCFX4vgyeSNQRQfAdGohPGQhwzGT9qiXYleogRX3HPo4kik3PQyucsK6zgf4n0"
}

Setup instance IAM role permissions to DynamoDB

The openvpn server is going to require access to the DynamoDB table - this is best handled with an IAM instance role

  1. Assign your instance a role when you deploy it

  2. Add the following IAM policy to your instance role - Update $$SetToYourRegion$ to match your aws region and $YourAWSAccountID$ your AWS account number.

{
    "Statement": [
        {
            "Action": [
                "dynamodb:GetItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:$SetToYourRegion$:$YourAWSAccountID$:table/openvpn-access"
            ],
            "Effect": "Allow"
        }
    ]
}

For example if I was located in us-east-1 with the account number of 211111111113 then the resource line would look like this: arn:aws:dynamodb:us-east-1:211111111113:table/openvpn-access

Install gem on your openvpn server

  1. Download gem file from latest release https://github.com/adcreare/openvpn-dynamodb-authenticator/releases/latest

  2. Install gem

sudo gem install openvpn-dynamodb-authenticator-*.gem

Configure openvpn

  1. Locate the openvpn server config file - by default this will be located in /etc/openvpn/ but may vary depend on your distribution
  2. Edit server config and add the following to the config file to use the authenticator: auth-user-pass-verify /usr/local/bin/ovpn-auth via-file
  3. Restart your openvpn server - dependant on your distribution:
sudo service openvpn restart

OR

sudo systemctl openvpn restart

OR

sudo /etc/init.d/openvpn restart

Final steps

  1. Find a username and password to place into the table. This could be as simple as performing a adduser myvpnuser on any linux system and then coping the hash from /etc/shadow into the Password field of the table

TODO

  1. Implement a configuration option for table name

About

Openvpn authenticator using dynamodb

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases 2

Release 0.0.2 Latest
Mar 21, 2016
+ 1 release

Packages

No packages published

Languages