Where and how should I define OpenVPN user pass?

Solution 1:

PAM stands for a Pluggable Authentication Modules, is a system authentication and authorization framework. It could use file, database, whatever you had configured as a password storage. It can even use things other than passwords to authenticate (say, OTP and so on); it can do two-factor authentication, link to external trusted third party (like Kerberos) and so on. In the simplest case it uses a shadow file to store encrypted passwords for system users.

openvpn-auth-pam module allows you to authenticate OpenVPN peers using this system authentication framework. login here means the PAM service your OpenVPN will use. Likely you already have some services, like system-auth is used for local users. Take a look into /etc/pam.d/ files to have a feel how PAM is configured and also please read its manuals.

What you'll find out is that the login service by default just refers to the system-auth. To use this as is you first create local system users and set their passwords. Then, add an --auth-user-pass option to the client configs, either with credentials file name or naked (then it will ask for credentials interactively). See man openvpn for details.

Finally, remember to always employ certificate-based authentication first. Each VPN peer must have its own unique certificate/key pair. The username/password authentication must be considered only as a supplementary security measure. And better don't use `duplicate-cn' feature.