FWIW, I recently created some Packer.io scripts to build radius-enabled openvpn virtual appliances. Packer will build vmware, vbox, ec2, google compute, etc images. I think it's pretty slick, it build the certs with one command. The blog post is here: https://www.wikidsystems.com/support/wikid-support-center/tutorials/build-a-2fa-ready-openvpn-community-virtual-appliance. Note that while this is for two-factor auth, it works with any radius server. (pro-tip: run the auth through your directory for authz.)
Another thing I like about packer scripts in github is that now I can add Gert's --duplicate-cn tip to the scripts and everyone benefits. nick On Mon, Feb 16, 2015 at 7:01 AM, Jan Just Keijser <[email protected]> wrote: > Hi Marine, > > Marine B wrote: >> Thanks for your answers, >> >> @Jan: so far we are using radius with client-cert-not-required, but we >> will need two instance using the radius(one with higher privileges) >> that's why I wanted to had something on top of the radius that we will >> only give to those who are allowded to have higher privileges >> >> @Greg: That could be a solution, thank you >> >> Otherwise, I thought about using tls-auth (I know that it's not >> supposed to be used this way) on the privileged instance. >> > for the higher privileged clients you could use certificates - adding > 'client-cert-not-required' does not mean you cannot use certificates at all. > The higher privileged clients can then be checked/verified using the > appropriate client-connect/tls-verify and/or radius authZ check. > > HTH, > > JJK > >> 2015-02-16 9:15 GMT+01:00 Gert Doering <[email protected] >> <mailto:[email protected]>>: >> >> Hi, >> >> On Mon, Feb 16, 2015 at 08:48:11AM +0100, Marine B wrote: >> > I would like to know if it is possible to use openvpn with a radius >> > authentification >> >> Yes. >> >> > and a pre shared key for multiple user. I read that pre >> > shared key can only be used for one connection (one client, one >> server). >> >> Pre-Shared-Key is only valid for peer-to-peer use, not for >> client-to-server >> (multipoint). >> >> You can use the same certificate for all clients, though, if you >> enable >> --duplicate-cn on the server. >> >> gert >> > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openvpn-users -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
