OpenVPN with ID and Password Authentication or Two Factor Authentication

In a recent post, we did a step by step on installing OpenVPN to an Ubuntu server 12.04.

The default install used certificate based authentication for the client. So if the client has the proper files, it can connect to the server.

So lets say you want to use an ID and Password instead of a client cert. Although it is less secure than the cert method, it is much easier to administer. Plus, in certain instances, such as a VPN provider, the creation and delivery of certs to the end user may cause alot of confusion and result in hours of support calls.

Building off of the previous example, lets change to server to use id/pw from the local user list instead of client certs.

This is done through a plugin that is provided with OpenVpn in the Ubuntu package.

Start by copying the required plugin to the openvpn directory

cp /usr/lib/openvpn/ /etc/openvpn/

Now edit the /etc/openvpn/server.conf file and add the following:

tmp-dir "/etc/openvpn/tmp/"                      
plugin /etc/openvpn/ /etc/pam.d/login 

Create the temp directory mentioned above and allow all writes to it:

mkdir /etc/openvpn/tmp
chmod 777 /etc/openvpn/tmp

Restart OpenVPN

/etc/init.d/openvpn restart

And that’s it. Change your client’s settings so that it uses the id/pw method instead of certs and give it a test.

In a Two Factor Authentication Solution, the client would need a valid Cert and a valid id/pw on the host system. This is more secure than either of the 2 previous examples.

To get the OpenVPN server to use both id/pw and check for a valid cert, just comment out the following line in /etc/openvpn/server.conf


Restart openvpn service on the host then give it a test with the client.

/etc/init.d/openvpn restart
Bookmark the permalink.

3 Responses to OpenVPN with ID and Password Authentication or Two Factor Authentication

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
29 − 7 =