OpenVPN steps to configure only username/password authentication

openvpn

I am newbie in OpenVPN and I need help to configure server and client .ovpn to use only username/password authentication. Examples of client.ovpn and server.ovpn with be very helpful. Thank's

Here what I done :

server

port 1194
proto udp
dev tun
ca "C:\\OpenVPN\\config\\ca.crt"
cert "C:\\OpenVPN\\config\\server.crt"
key "C:\\OpenVPN\\config\\server.key"  # This file should be kept secret
dh "C:\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client

client
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 188.247.133.19 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert dzoni-block.crt
key dzoni-block.key
ns-cert-type server
comp-lzo
verb 3

Above config works fine. But I want to use only username/password authentication. I have tried to add in server client-cert-not-required , and in client auth-user-pass auth.txt where auth has 2 lines (user/pass) and its not working.

If anyone have configuration that working only with username/password some examples will helps me a lot. Thank's


Solution 1:

On the server end, you would need to decide how to authenticate users with a username/password combination.

AFAIK, the most common way is to use openVPN's PAM plugin. For your purposes, you would need to have the following entries in your server.conf:

username-as-common-name
client-cert-not-required

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

You would also need to create a PAM config for openvpn (e.g. /etc/pam.d/openvpn).

If you were using RADIUS to authenticate users, then your PAM config might look like:

account         required        pam_radius_auth.so
account         required        pam_radius_auth.so
auth            required        pam_radius_auth.so no_warn try_first_pass

And you would store the details of the RADIUS server in /etc/pam_radius.conf.

On the client side, your config could be as little as:

client
ca server.pem
dev tun
nobind
comp-lzo
cipher BF-CBC
cipher AES-256-CBC
cipher AES-128-CBC

Just add your remote in there, and it should work.

Related

cloud-init module order is wrong, how to fix?
SELinux: manually changing files in /etc/selinux/targeted/contexts/files/
Gains in running a docker container on the same OS type?
Ensure that no console sessions are left logged in (Linux)
Joining AD domain with Windows 10 using smart card
Push DNS for only a domain OpenVPN
mdadm software RAID isn't assembled at boot during initramfs stage
Massive performance degradation on sustained sequential write
Configure nginx to send response with header and footer for HTTP body
How to set-up google-authenticator and set specific match rules to allow different login rules?
Pre-labelled LTO-6/LTFS tape numbers- Are the tape numbers stored somewhere on the tape?
Apache Remote proxy for a reverse proxy SNI mismatch