Subversion Repositories web_pages

# Program Overview: totp_opnsense Suite (Updated)

# Program Overview: totp_opnsense Suite

This suite consists of four main programs/modules for managing TOTP and OpenVPN user access with OPNSense routers. Each has a distinct role in the workflow, from configuration parsing to user authentication and QR code delivery.

This suite consists of four main programs/modules for managing TOTP and OpenVPN user access with OPNSense routers. Each has a distinct role in the workflow, from configuration management to user authentication and credential delivery.

- Reads and parses OPNSense configuration files.

- Interactive tool for managing router configurations stored in `routers.json`.

- Loads settings and credentials for API access and OpenVPN configuration.

- Allows adding, editing, and removing router definitions.

- Provides utility subs for configuration management.

- Manages API credentials, VPN provider settings, and OpenVPN configuration formats.

- Modular subroutines with headers for clarity.

- Menu-driven interface for easy configuration management.

- Loads the custom `Opnsense` Perl module for API interaction.

- Supports multiple OpenVPN configuration formats per router.

- `readConfig`: Reads and parses the configuration file.

- `readConfig`: Reads router configuration from JSON file.

- Provides a web interface for users to log in and retrieve their TOTP QR code and OpenVPN configuration.

- Web interface for users to authenticate and retrieve their TOTP QR code and OpenVPN configurations.

- Validates user credentials and displays relevant information.

- Validates user credentials against password hashes stored in `users.json`.

- Function headers for all major operations.

- Password verification using bcrypt hashes.

- Reads configuration generated by `processOPNSense.pl`.

- Router selection dropdown populated from available routers.

**Main Functions:**

**Main Functionality:**

- `validateUser`: Validates user credentials against stored data.

- Reads configuration from `users.json` generated by `opnsense-totp-ovpn-export`.

- `displayQRCode`: Shows the QR code for the user's OTP.

- Displays QR code image for TOTP setup.

- `displayOTPSeed`: Displays the OTP seed for manual entry.

- Shows TOTP seed for manual entry into authenticator apps.

- `downloadOvpnFile`: Provides a download link for the user's OpenVPN configuration.

- Provides download links for OpenVPN configuration files:

- Displays the last time users.json was updated and allows a request for that from the webui. If user requests an update, a file is placed in /tmp which can be managed by a cron job

- Allows users to request router data refresh via web interface.

- see `updaterouters.cron` for an example of allowing users to request a rescan of a router.

- See `updaterouters.cron` for an example of allowing users to request a rescan of a router.

- Creates a lock file and checks there is only one instance running to decrease chance of corruption

- Connects to OPNsense router via API to retrieve user credentials and VPN configurations.

- Loads router and user configuration from JSON files.

- Generates QR codes for TOTP authentication.

- Uses the `opnsense` module to interact with the OPNSense API.

- Creates OpenVPN configuration files based on defined formats.

- Generates QR codes and OpenVPN configuration files for users.

- Updates `users.json` with current user data.

- Uses `GD::Barcode::QRcode` for QR code generation and `MIME::Base64` for decoding OpenVPN files.

- Uses `GD::Barcode::QRcode` for QR code generation.

- `loadConfig`: Loads router configuration from a JSON file.

- `loadConfig`: Loads router configuration from JSON file (`routers.json`).

- `loadUsers`: Loads user data from a JSON file.

- `loadUsers`: Loads user data from JSON file (`users.json`).

- Additional subs for QR code and OpenVPN file management.

  - Additional configuration strings (e.g., `proto tcp\nport 443`)

**user configuration file**

**user configuration file (users.json)**

- The users configuration file (users.json) contains sensitive information (totp codes and password hash)

- Contains sensitive information (TOTP codes and password hashes).

- The users configuration file is used by both index.php and loadOpnSense.pl, so should be owned by root, but with read access to others

- Used by both `index.php` and `opnsense-totp-ovpn-export`.

- The users configuration file is a json file with the following structure

- Should be owned by root with read access for web server.

   {

{

      "router1" : {

  "router1": {

         "qrLocationFileystem": "/file/system/path/to/qrcode/directory",

    "qrLocationFileystem": "/file/system/path/to/qrcode/directory",

         "qrLocation": "./qrcodes", # relative path to qrcode directory

    "qrLocation": "./qrcodes",

         "ovpnLocationFileSystem": "/file/system/path/to/ovpn/directory",

    "ovpnLocationFileSystem": "/file/system/path/to/ovpn/directory",

         "ovpnLocation": "./openvpn_configs", # relative path to ovpn file directory

    "ovpnLocation": "./openvpn_configs",

         "lastUpdate": 1759817343, # unix timestamp of last update

    "lastUpdate": 1759817343,

         "users" : {

    "users": {

            "user1" : {

      "user1": {

               "password" : "<hashed password>",

        "password": "<bcrypt hashed password>",

               "otp_seed" : "<otp seed>",

        "otp_seed": "<TOTP seed in base32>",

               "qrFile" : "<path to qr code image file (relative)>",

        "qrFile": "./qrcodes/router1_user1.png",

               "ovpnFile" : "<path to openvpn config file (relative)>"

        "ovpnFile": "./openvpn_configs/router1_user1.ovpn"

      "router2" : {

      "user2": {

         ...

        ]

   }

    }

**router configuration file**

**Note on ovpnFile:**

- The router configuration file contains the apiSecret and apiKey that could allow black hats to access and modify your router

- Can be a string (single configuration file) or array (multiple configuration files).

- The router configuration file is owned by root and set with permissions 0600, allowing access only to the root user

- Multiple files are automatically displayed as separate download links in web interface.

- The router configuration file is a json file with the following structure

**router configuration file (routers.json)**

    "hostname": "router.example.org", # hostname written to ovpn files

    "url": "https://192.168.1.1",

    "localPort": "1194", # port number written to ovpn files

    "apiKey": "public API key from OPNsense Router",

    "apiSecret": "secret API key from opnSense Router",

    "apiSecret": "secret API key from OPNsense Router",

    "apiKey": "public API key from openSense Router",

    "downloadToken": "random-token-string",

    "url": "https://192.168.1.1", # how the scripts connect to router

        "additionalStrings": "proto tcp\\nport 443\\nauth-nocache"

    "template": "PlainOpenVPN", # valid template from opnsense, PlainOpenVPN is used exclusively so far

        "additionalStrings": "proto udp\\nport 1194\\nauth-nocache"

    "ovpnIndex": "1" # the index into the OVPN instance. In older systems, a single digit, in newer ones a long hash

        "additionalStrings": "proto tcp\\nport 8443\\nauth-nocache"

1. Get API Key from router and save

   - Obtain API key and secret from OPNsense router (System → Access → Users).

2. Run `configure` to set up router

   - Run `./configure` to set up router configuration.

3. run `opnsense-totp-ovpn-export` to export the .ovpn files and generate the totp QR code image

   - Run `./opnsense-totp-ovpn-export routername` to:

4. Users access `index.php` to log in, view their QR code, OTP seed, and download OpenVPN config.

   - Log in with username, password, and router selection.

All scripts treat OTP secrets and user data as sensitive. It is recommended to keep generated files and QR codes on a secure internal network.

All scripts treat OTP secrets and user data as sensitive information: