Tunnelblick 2fa

02-05-2021 by



Download Tunnelblick by clicking Download Latest Stable Release; C. Double-click on the downloaded Tunnelblick file to install the program. (It will be named Tunnelblick and contain information about what version it is. For example: the downloaded file for version 3.7.8 is named Tunnelblick3.7.8build5180.dmg).

Over the last couple of days, I've been working on integrating Duo Security's Two-FactorAuthentication with OpenVPN. While theinstructions on Duo'swebsite are great, Here are a few notes that may be helpful if you'redoing the same.

Like Termius, JuiceSSH is a very popular and fully-featured proprietary SSH (and Telnet and Mosh) client with in-app purchases for premium features. It supports ECDSA, RSA, and DSA SSH keys and password, SSH key agent forwarding, 2FA via Google Authenticator, and includes an RSA key generator. Download Tunnelblick by clicking Download Latest Stable Release; C. Double-click on the downloaded Tunnelblick file to install the program. (It will be named Tunnelblick and contain information about what version it is. For example: the downloaded file for version 3.7.8 is named Tunnelblick3.7.8build5180.dmg).

Install from an RPM

The plugin provided by Duo installs into /opt/duo via aMakefile. I generally dislike software on my machines that isnot installed via the package management system, and targeting a Linuxbased server, I wrote the necessary glue to build an RPM from the files,which installs into /usr.

If you're interested in those changes, you can fetch them via my fork on GitHub. (Itcontains a few more modifications, as discussed below.)

Add support for 'composite' password

The plugin provided by Duo Security is intended to be combined withcertificates to authenticate. However, we briefly considered combining itwith regular password authentication via LDAP, but that solution is notcurrently supported by the plugin. However, there are ways around that.Thisblog entry explains in detail what needs to be done to make thishappen.

After reading those instructions, I updated the duo_openvpnplugin to optionally support this as well. Those changes are alsoavailable in my fork onGitHub, but it should be noted that there are a few usabilityconcerns: the two plugins are executed independently from each other,meaning that if one fails, the other is still attempted. This can lead toconfusion when the user enters their password wrong, but still gets a Duonotification (which naturally takes a bit longer).

Tunnelblick 2fa code

In the end, we decided that the user interface of these 'compositepasswords' is rather suboptimal: asking the user to enter their (hopefullycomplex) password (which we expect many users to have stored in 1Password and would have to copy fromthere), followed by a comma, followed by the Duo token seems prone toerrors. Either way, the code is there, if you're interested.

reneg-sec bug in OpenVPN < 2.2

I found out after much banging my head against the wall that there is abug in OpenVPN versions prior to 2.2 where setting reneg-sec 0(as is recommended by the Duo OpenVPNinstructions) causes the hand-window parameter to be reset tozero as well.

This manifested itself in the following way: the user initiates theauthentication process and OpenVPN hands off authentication to theduo_openvpn plugin. Since the handshake window is set to zero,OpenVPN will wait for zero seconds before it determines that the plugindid not succeed, and the connection will be terminated. A few secondslater, the user will get the Duo push notification...

I tried to change the hand-window and various other settingsall to no avail, until I found this note in the OpenVPN Changelog:

Fixed an issue where if reneg-sec was set to 0 on the client,so that the server-side value would take precedence,the auth_deferred_expire_window function would incorrectlyreturn a window period of 0 seconds. In this case, thecorrect window period should be the handshake windowperiod.

For OpenVPN versions below 2.2, the only viable solution I've found isto set the reneg-sec parameter on the server to a reasonablevalue. For Duo authentication, where you don't want a client to replay aone-time token, you can set it to a large value (say, 8 hours or so).

Things I've learned about OpenVPN

When trying to figure out the reneg-sec bug, I first thoughtthat the problem was in the Duo plugin, and hastily added await(2) to prevent the plugin from immediately returning. Duo'sakgood pointed out to me, however,that that does not make OpenVPN very happy. For you see, OpenVPN issingle-threaded, and can't do a whole lot while it's busy waiting for anauthenticating subprocess to return.

That is, while you're waiting for a user to get authenticated, notraffic can go over the VPN, not even for other sessions. This is by design, bythe way. So instead of blocking, OpenVPN handles this by using 'deferredauthentication', where a plugin executes and returns immediately. But theplugin still has to communicate back the success or failure to the OpenVPNdaemon, and what better method of IPC to use but... that's right,local files.

Tunnelblick 2fa

When a plugin like the duo_openvpn plugin executes, it ispassed the name of a temporary file to which it writes the authenticationstatus when it returns, and OpenVPN's hand-window dictates howlong the daemon should maximally wait to check this file.

I'm not sure if using temporary files in the local filesystem give me aparticularly warm and fuzzy feeling, considering OpenVPN may run as anunprivileged user, and to be able to create/update these files it mightend up writing them in /tmp etc., where I could imagine the riskof a symlink attack by another local user. But anyway, it is what itis.

Example Configuration Files

Here are the configuration files (or at least the relevant bits) I'veused to set up Duo Two-Factor Authentication with OpenVPN:

/etc/openvpn-duo/server.conf:

Tunnelblick clientconfiguration:

(Yes, I'm aware of the localroot exploit for Tunnelblick (and the one forViscosity). :-)

Anyway, now I live in the future! Now, when I connect, my computersare calling me on my cell phone to say hi. I like that. Thanks, Duo Security!

August 15th, 2012

The VPN will give you access to the SBGrid Network. The VPN is forSBGrid ARC Members at CMCD supported Labs in the Boston Area. It isnot for Consortium members.

If we detect that you haven’t used your VPN access in 3 months, we’lldisable your VPN access.

Request access to the SBGrid VPN

Please email the SBGrid at help@sbgrid.org.

Members using macOS

Tunnelblick

Tunnelblick 2fa App

Installation Steps

  1. Download file SBGrid.ovpn using the link we email you; you will need it later.
  2. Download Tunnelblick.
  3. Open the Tunnelblick Package
  4. Double-Click on the Tunnelblick icon to start the Installer
  5. Start Tunnelblick
  6. Click on 'I have configuration files'
  7. Follow the instructions (drag the .ovpn file to the Tunnelblick Icon)
  8. A Window will appear, click 'Only Me'

Start the VPN

  1. Start Tunnelblick if it's not already running
  2. Click on the Tunnelblick icon
  3. Then click on 'Connect sbgrid.org'
  4. Enter your SBGrid username and password
  5. This is the same as your xtal200.harvard.edu ssh login
  6. If you receive a warning stating that your computer's apparent public IP hasn't changed - this is normal. Just check 'Do not check for IP address changes' box and click OK.

Stop the VPN

Tunnelblick
  1. Click on the Tunnelblick icon
  2. Then click on 'Disconnect sbgrid.org'

Members using Windows (limited support)

Caveat: As of early 2020, there may be problems with name resolution inside the Windows Subsystem for Linux.

Tunnelblick for ios

Tunnelblick 2fa How To

  1. Ensure your Windows installation is up-to-date and protected by anti-virus software.
  2. Download the file that we linked in our email; you will need it later.
  3. Download and install the openvpn 'community' client.
  4. Through the client, Import the *.ovpn configuration file.
  5. During Connecting, use your SBGrid Linux account credentials when prompted.
  6. You may have to address SBGrid remote hosts using their IP address.
  7. Disconnect to exit the VPN.

Tunnelblick For Mac

Members using Linux

Tunnelblick 2fa Fortnite

  1. Install OpenVPN (sudo apt-get install openvpn on ubuntu)
  2. Dowload the .ovpn configuration using the link we e-mailed you.
  3. Edit the .ovpn file, and uncomment the two lines below the # Uncomment following lines for linux
  4. Connect to the VPN: sudo openvpn --config SBGrid.ovpn --script-security 2 (adjust .ovpn file name as needed); enter your user name and password when prompted
  5. The VPN process will remain active in the terminal you launched it from
  6. To disconnect, control-C in that terminal window will stop the VPN connection




Cisco Anyconnect Command Line
Guitar XzJam Virtual Band

Comments are closed.