OpenVPN with ID and Password Authentication or Two Factor Authentication

In a recent post, we did a step by step on installing OpenVPN to an Ubuntu server 12.04. http://www.slsmk.com/installing-openvpn-on-ubuntu-server-12-04/

The default install used certificate based authentication for the client. So if the client has the proper files, it can connect to the server.

So lets say you want to use an ID and Password instead of a client cert. Although it is less secure than the cert method, it is much easier to administer. Plus, in certain instances, such as a VPN provider, the creation and delivery of certs to the end user may cause alot of confusion and result in hours of support calls.

Building off of the previous example, lets change to server to use id/pw from the local user list instead of client certs.

This is done through a plugin that is provided with OpenVpn in the Ubuntu package.

Start by copying the required plugin to the openvpn directory

 
cp /usr/lib/openvpn/openvpn-auth-pam.so /etc/openvpn/

Now edit the /etc/openvpn/server.conf file and add the following:

client-cert-not-required 
username-as-common-name 
tmp-dir "/etc/openvpn/tmp/"                      
plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login 

Create the temp directory mentioned above and allow all writes to it:

mkdir /etc/openvpn/tmp
chmod 777 /etc/openvpn/tmp

Restart OpenVPN

/etc/init.d/openvpn restart

And that’s it. Change your client’s settings so that it uses the id/pw method instead of certs and give it a test.

In a Two Factor Authentication Solution, the client would need a valid Cert and a valid id/pw on the host system. This is more secure than either of the 2 previous examples.

To get the OpenVPN server to use both id/pw and check for a valid cert, just comment out the following line in /etc/openvpn/server.conf

#client-cert-not-required 

Restart openvpn service on the host then give it a test with the client.

/etc/init.d/openvpn restart
Bookmark the permalink.

3 Responses to OpenVPN with ID and Password Authentication or Two Factor Authentication

  1. Mohsen says:

    Hello sir and thank you for you really interesting post here!
    I want to know is it possible to authenticate users with an accounting server? such as s RADIUS server?
    I mean “the database of users are in a accounting server instead of the local OS”.
    Thanks

  2. Philip says:

    Well I won’t deny that this method works but you do some really strange and confusing stuff with directories. /etc is for settings not temp files and not libraries. Why do you copy the .so file and not simply reference it where it is? Why do you create the temp directory in /etc/openvpn/tmp and not one of the standard temp directories /var/tmp/openvpn or /tmp/openvpn?

    • Philip says:

      Also its bad practice to re-use /etc/pam.d/login in this way. Much better to copy this one first (eg: to /etc/pam.d/openvpn) so that you can separately configure your login users and your vpn users. The security requirements between the two may be completely different.

Leave a Reply

Your email address will not be published. Required fields are marked *

No bots allowed * Time limit is exhausted. Please reload the CAPTCHA.