Tuesday, 10 March 2009

OpenVPN: LDAP and ipset says you may.

Our ad-hoc authorization scheme proceeds. Adding custom schemas to OpenLDAP is pretty easy. (vpnaccess.schema)

ipset lets us define netfilter rules against named, dynamic sets of ips, like:
ipset -N bofhirc iphash
iptables -m set --set bofhirc src -d bofhirc.example.org -p tcp \
-m tcp --dport 22 -j ACCEPT
adds a rule giving only ips added to the bofhirc set access to bofhirc.example.org port 22. How ips are added to that set is up to you (Port knocking, messenger pigeon, ocr on a piece of paper held up in front of a webcam...) but involves ipset -A bofhirc <ip> at some point. And hopefully ipset -D bofhirc <ip> at some other point to revoke that access again. All without disturbing your carefully-tuned iptables config on every login.

A touch of the swiss army chainsaw with Net::LDAP to OpenVPN --client-connect (accesses-from-ldap-open.pl) and --client-disconnect (accesses-from-ldap-close.pl). Et voila. Adding accesses is now as easy as adding a named set of firewall rules, and adding:
objectClass: vpnAccessPerson
vpnAccess: bofhirc
to the relevant user in ldap. The ips involved are private and assigned by OpenVPN, so there's no risk of aliasing for multiple users behind a NAT.


janfrode said...

Very cool Erik. Thanks for pointing me at the idea of keeping the access configuration in ldap. Unfortunately ipset isn't available on my distro of choice, and I think we will be needing more fine grained access than your groups solution.

I'm considering if I should dare put full CIDR entries into the vpnAccess object, and that way give full control over what hosts/nets will be allowed to access per user. That should make it easy to create a simple interface for the non-techies to manage their vpn guest users.

hmmm, not sure how I should handle removal, and avoiding duplicate iptbales rules on each access. Need to think a bit about that.

Erik Inge Bolsø said...

Where do you need to grind things finer? Example please, I'm not quite seeing it :)

janfrode said...

(sorry for slow response, just noticed your question now :-)

We have lots of hosts/nets we need to give access to, and we will typically be giving a single consultant access to a single or a couple of hosts. So I don't think predefined groups will work.

We should probably store which hosts/nets the user has access to in the vpnAccess object in ldap, and create a simple webbased frontend to delegate the responsibility of adding/modifying these to the non-techies that need to grant the accesses.