A Webite

OpenVPN

If you are using OpenVPN Access Server you can disable the google auth on a per user basis by modifying the user database directly. There are a number of scripts located in /usr/local/openvpn_as/scripts (debian default), one of the commands that allows database modification/viewing is ‘confdba’. This is how I disabled the auth temporarly on a user. You could also use the dba command tool to retrive the authenticator secret, due to it not being stored in encrypted fashion. While passwords are encrypted/hashed in db, the google auth secret is not.

Code:
# cd /usr/local/openvpn_as/scripts
# ./confdba -us -p <username> # Retrive current user properties
# ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p <username> # Disable Google Auth for User

After executing the above, the user should be able to login to the web connect to retrieve their google auth app, or rescan their qr code. BE VERY CAREFUL when modifying the database, you could seriously screw up your database if you don’t know what you’re doing, requiring a complete reinstall.

SSLCERTS From 

http://docs.openvpn.net/how-to-tutorialsguides/administration/cs-ca_bundle-cs-priv_key-cs-cert/

Managing SSL Web Certificates from the CLI
Last modified: 24 December 2011

Managing SSL Web Certificates from the CLI

Currently it is not possible to backup your SSL certificates over the Admin UI. That being said, it can be easily done via the CLI.
You can also take advantage of the CLI to also transfer SSL certificates across different Access Server instances, or to install new ones you’ve purchased from a SSL certificates vendor or self-signed with OpenSSL.
Please note the following instructions will ONLY work when you have an actual certificate (not the built-in self-signed one) installed on your server!
In addition, NO ERROR CHECKING will be performed on the certificates if they are installed this way. You could render your server UNUSABLE if the correct certificates are not installed.

In order to do so, you will need SSH access to your Access Server.
To begin, you will need to launch a SSH client such as PuTTY to connect to your server using SSH:

Start PuTTY and connect to the IP address of your server on port 22, SSH, and click ‘Open’.

Enter the server’s username and password. It must have root access. This is not the VPN client username!

Execute command: cd /usr/local/openvpn_as/scripts/

To backup the existing CA bundle, private key, and server certificate:

CA Bundle:

Execute command: ./confdba -gk cs.ca_bundle

Scroll up (if necessary), and start selecting from —–BEGIN CERTIFICATE—–, stop the selection when you hit the last —–END CERTIFICATE—–.

The CA bundle is now copied to the clipboard. Open up a text editor, paste the contents into the editor, and then save the file as ca.crt.

Private Key:

Execute command: ./confdba -gk cs.priv_key

Scroll up (if necessary), and start selecting from —–BEGIN RSA PRIVATE KEY—–, stop the selection when you hit —–END RSA PRIVATE KEY—–.

The Private Key is now copied to the clipboard. Open up a text editor, paste the contents into the editor, and then save the file as server.key.

Server Certificate:

Execute command: ./confdba -gk cs.cert

Scroll up (if necessary), and start selecting from —–BEGIN CERTIFICATE—–, stop the selection when you hit —–END CERTIFICATE—–.

The Server Certificate is now copied to the clipboard. Open up a text editor, paste the contents into the editor, and then save the file as server.crt.

To install the CA bundle, private key, and server certificate from a backup:

CA Bundle (if you self-signed your server certificate without a CA, please use your server certificate as a CA bundle):
Open up the CA Bundle file in a text editor, then copy all the contents of that file to the clipboard.

Type the follow command (but do not press Enter yet, notice the single quote at the end of the line): ./confdba -mk cs.ca_bundle -v ‘

If using PuTTY, right click the terminal to paste the contents of the CA Bundle onto the terminal window.

After the contents of the CA Bundle is pasted into the terminal window, enter another single quote, followed by the Enter key.

The CA Bundle is now restored.

Private Key:
Open up the Private Key file in a text editor, then copy all the contents of that file to the clipboard.

Type the follow command (but do not press Enter yet, notice the single quote at the end of the line): ./confdba -mk cs.priv_key -v ‘

If using PuTTY, right click the terminal to paste the contents of the Private Key onto the terminal window.

After the contents of the Private Key is pasted into the terminal window, enter another single quote, followed by the Enter key.

The Private Key is now restored.

Server Certificate:
Open up the Server Certificate file in a text editor, then copy all the contents of that file to the clipboard.

Type the follow command (but do not press Enter yet, notice the single quote at the end of the line): ./confdba -mk cs.cert -v ‘

If using PuTTY, right click the terminal to paste the contents of the Server Certificate onto the terminal window.

After the contents of the Server Certificate is pasted into the terminal window, enter another single quote, followed by the Enter key.

The Server Certificate is now restored.

Restart the Access Server completely by invoking the following command: /etc/init.d/openvpnas restart

If the certificates were installed correctly, the server should start without a problem. On the other hand, invalid certificates installed on the server will block the server from starting.
If you would like to revert back to the original built-in self-signed certificate after an installation of custom SSL certificates have failed, execute the following commands:
./confdba -mk cs.ca_bundle
./confdba -mk cs.priv_key
./confdba -mk cs.cert
/etc/init.d/openvpnas restart

To validate that the certificate is properly installed, visit the Web Server section in the Admin UI

Disabling the Lock Out aka (bootstrap) account (optional)
In the setup wizard, you were prompted to create an initial username and password that allowed you to login to the Admin Web UI. This username and password combination will always be active disregarding its status in the “User Permissions”area. This might be undesirable if your server is facing the Internet since anyone who has this username and password combination will have full administrator rights to change any setting on your Access Server Admin Web UI. After you have created a secondary administrator account in the Admin Web UI, you may disable this lock out account by following the steps below:

Enter the command: nano /usr/local/openvpn_as/etc/as.conf
Press the Page Down key on your keyboard and scroll down with your Down arrow key until you see entries starting with boot_pam_users.
Put a # sign before the entry correlating to the bootstrap username you have created previously. Usually this is the boot_pam_users.0= entry. DO NOT put a # sign before the boot_pam_service entry. Doing so will cause unexpected behaviors in your VPN server.
Press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor.
Restart the VPN server by entering the following command: /etc/init.d/openvpnas restart

You may choose to reenable this feature at any time by removing the #sign from the aformentioned file and restarting Access Server.
Updating Operating System Software (recommended)
From the time we have generated the appliance and the time you have downloaded and are using the appliance, many operating system updates might have became available. To make sure your appliance operating system is up to date, execute the following command: apt-get update && apt-get upgrade

Leave a Reply

Your email address will not be published. Required fields are marked *