Custom authentication

albydarned · October 22, 2024, 4:57pm

We are evaluating using pritunl as our vpn for customers to access devices behind our firewall. I have the enterprise trial running right now, with one server, org, and user. I have it set up, that on connection a plugin creates firewall rules for the virtual IP only to a specific list of devices retrieved from our API for that user. This seems to work great.

Now, the last challenge I have to solve is authentication. What I would like, is to have a shared .ovpn file we can distribute to each customer that is exactly the same. I want to add auth-user-pass to the .ovpn file, and remove the <cert> and <key> from the .ovpn file. Then, when the user connects in the client they input a username and password, which i can intercept in the user_connect plugin and do an API call to check the username and password. If the user doesn’t exist in pritunl, i’d like to create it. If that isn’t possible, I can write a service that uses the api to sync users from our database to pritunl.

However, removing and from the profile causes the error OpenSSL: error:0A0000C7:SSL routines::peer did not return a certificate:

Am I approaching this the wrong way? How else can I acheive “Plugins can be created to support custom authentication systems and custom access control systems” from the home page?

zach · October 22, 2024, 9:10pm

The plugin authentication would still require multiple profiles.

albydarned · October 22, 2024, 9:28pm

So probably best thing to do is have a service that at least creates the profiles over the API.

Is there more documentation on how plugin authentication works? Is that connected to the ‘plugin’ user type? For example I see the def user_authenticate(host_id, host_name, user_name, password, remote_ip, **kwargs) function, but I have been struggling to get it to fire.

zach · October 22, 2024, 11:15pm

The user_authenticate handle is called when a username and password is entered from the Pritunl web console login. If the username doesn’t match an administrator it will send the username and password to the user_authenticate plugin handle. This will occur again when the user connects to the VPN with that profile and is prompted from the VPN client to enter the password. If Radius is used as the single sign-on mode this will replace the plugin handle.

albydarned · October 23, 2024, 3:23pm

Thanks so much, that helps a lot!