In a recent post, we did a step by step on installing OpenVPN to an Ubuntu server 12.04. http://www.slsmk.com/installing-openvpn-on-ubuntu-server-12-04/
The default install used certificate based authentication for the client. So if the client has the proper files, it can connect to the server.
So lets say you want to use an ID and Password instead of a client cert. Although it is less secure than the cert method, it is much easier to administer. Plus, in certain instances, such as a VPN provider, the creation and delivery of certs to the end user may cause alot of confusion and result in hours of support calls.
Building off of the previous example, lets change to server to use id/pw from the local user list instead of client certs.
This is done through a plugin that is provided with OpenVpn in the Ubuntu package.
Start by copying the required plugin to the openvpn directory
cp /usr/lib/openvpn/openvpn-auth-pam.so /etc/openvpn/
Now edit the /etc/openvpn/server.conf file and add the following:
client-cert-not-required username-as-common-name tmp-dir "/etc/openvpn/tmp/" plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login
Create the temp directory mentioned above and allow all writes to it:
mkdir /etc/openvpn/tmp chmod 777 /etc/openvpn/tmp
And that’s it. Change your client’s settings so that it uses the id/pw method instead of certs and give it a test.
In a Two Factor Authentication Solution, the client would need a valid Cert and a valid id/pw on the host system. This is more secure than either of the 2 previous examples.
To get the OpenVPN server to use both id/pw and check for a valid cert, just comment out the following line in /etc/openvpn/server.conf
Restart openvpn service on the host then give it a test with the client.