openwisp-monitoring
openwisp-monitoring copied to clipboard
openwisp
[feature] Add support for iperf3 authentication
-
With this enhancement, the user can use RSA authentication between the client and the server to restrict the connections to the server only to legitimate clients.
-
We can leverage
OPENWISP_IPERF_CHECK_CONFIGfor this enhancement. -
The following options of
iperf3are can be used to achieve this:At server side
--rsa-private-key-path: path to the RSA private key used to decrypt authentication credentials.--authorized-users-path: path to the configuration file containing user credentials (.csv (format: username,sha256))
At client side
--username: username for authentication.--rsa-public-key-path: path to the RSA public key used to encrypt authentication credentials.- The password will be prompted for interactively when the test is run.
- Note: the password to use can also be specified via the IPERF3_PASSWORD environment variable. If this variable is present, the password prompt will be skipped.
Steps:
Server
- Generate RSA keypair.
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
openssl rsa -in private.pem -out private_not_protected.pem -outform PEM
After these commands, the public key will be contained in the file public.pem (will be used with --rsa-private-key-path at client) and the private key will be contained in the file private_not_protected.pem. (will be used with --rsa-private-key-path at server)
- Then create a
credentials.csvfile with a hashed password.
S_USER=mario S_PASSWD=rossi
echo -n "{$S_USER}$S_PASSWD" | sha256sum | awk '{ print $1 }'
----
0b0c98028105e9e4d3f100280eac29bba90af614d1c75612729228e4d160c601 #This is the hash of "mario"
credentials.csv
# file format: username,sha256
mario,bf7a49a846d44b454a5d11e7acfaf13d138bbe0b7483aa3e050879700572709b
- Now start the server with auth options.
iperf3 -s --rsa-private-key-path ./private_not_protected.pem --authorized-users-path ./credentials.csv
Client
- Copy
public.pemfrom server to client (public key is used to encrypt the authentication token containing the user credentials)
# scp username@IP:source_path destination_path
scp [email protected]:Desktop/public.pem .
- Now run iperf3 test in client mode with auth options and enter user password.
iperf3 -c 192.168.5.109 --rsa-public-key-path public.pem --username mario
- At server side you will see Authentication successed for user 'mario'
➜ Desktop iperf3 -s --rsa-private-key-path private_not_protected.pem --authorized-users-path credentials.csv
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Authentication successed for user 'mario' ts 1657886991
Accepted connection from 192.168.5.109, port 42266
[ 5] local 192.168.5.109 port 5201 connected to 192.168.5.109 port 42268
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 202 MBytes 1.69 Gbits/sec
[ 5] 1.00-2.00 sec 179 MBytes 1.50 Gbits/sec
[ 5] 2.00-3.00 sec 182 MBytes 1.52 Gbits/sec
[ 5] 3.00-4.00 sec 185 MBytes 1.55 Gbits/sec
[ 5] 4.00-5.00 sec 185 MBytes 1.55 Gbits/sec
[ 5] 5.00-6.00 sec 178 MBytes 1.49 Gbits/sec
[ 5] 6.00-7.00 sec 176 MBytes 1.48 Gbits/sec
[ 5] 7.00-8.00 sec 173 MBytes 1.45 Gbits/sec
[ 5] 8.00-9.00 sec 197 MBytes 1.66 Gbits/sec
[ 5] 9.00-10.00 sec 190 MBytes 1.59 Gbits/sec
[ 5] 10.00-10.01 sec 1.07 MBytes 1.59 Gbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.01 sec 1.80 GBytes 1.55 Gbits/sec receiver
-----------------------------------------------------------
- If something went wrong (wrong password or keys), You'll get an error and iperf test fails.
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Authentication failed for user 'mario' ts 1657887010
iperf3: error - test authorization failed
Note : I have checked that openwrt iperf3 package doesn't support iperf authentication, so we need to install iperf3-ssl (contains all iperf3 features + auth support) instead in order to work this feature.
@Aryamanz29 great work! In the README we can explain that on the OpenWrt side the iperf3-ssl package is needed for this feature, in prod we will mostl ikely use RSA authentication which is better.
@Aryamanz29 great work! In the README we can explain that on the OpenWrt side the iperf3-ssl package is needed for this feature, in prod we will mostl ikely use RSA authentication which is better.
Hey @nemesisdesign we need to provide both --rsa-private-key-path --authorized-users-path (at server side) & --username --rsa-public-key-path (at client side) for this feature.
# server
iperf3: parameter error - you must specify a path to a valid RSA private key and
# client
iperf3: parameter error - you must specify a username, password, and path to a valid RSA public key
I and @nemesisdesign discussed the usage flow today for configuring authentication for iperf check. We concluded on the following operations:
- The user will set
username,passwordandrsa-public-keyin settings (or check params). Thersa-public-keyparameter will actually contain the content of the public key and not a file path. - The check will perform following operations upon execution:
- it will first transfer the file public key and save it in a temporary file in the device (say
/tmp/iperf-public.pem - it will perform the iperf check using the public key
- it will delete the public key from the device when the check is completed
- it will first transfer the file public key and save it in a temporary file in the device (say
We can make the deletion step skippable. We can create a setting which would skip the deletion process.
