OpenVPN with ID and Password Authentication on Ubuntu

In a recent post, we did a step by step on installing OpenVPN to an Ubuntu server 12.04/14.04. https://www.slsmk.com/getting-started-with-openvpn/

The default install used certificate based authentication for the client. So if the client has the proper files, it can connect to the server.

So lets say you want to use an ID and Password instead of a client cert. Although it is less secure than the cert method, it is much easier to administer. Plus, in certain instances, such as a VPN provider, the creation and delivery of certs to the end user may cause alot of confusion and result in hours of support calls.

Building off of the previous example, lets change to server to use id/pw from the local user list instead of client certs.

This is done through a plugin that is provided with OpenVpn in the Ubuntu package.

Start by copying the required plugin to the openvpn directory

For Ubuntu 12.04

cp /usr/lib/openvpn/openvpn-auth-pam.so /etc/openvpn/

Now edit the /etc/openvpn/server.conf file and add the following:

client-cert-not-required 
username-as-common-name 
tmp-dir "/etc/openvpn/tmp/"                      
plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login 

For Ubuntu 14.04

cp /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/openvpn/

Now edit the /etc/openvpn/server.conf file and add the following:

client-cert-not-required 
username-as-common-name 
tmp-dir "/etc/openvpn/tmp/"                      
plugin /etc/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login 

Create the temp directory mentioned above and allow all writes to it:

mkdir /etc/openvpn/tmp
chmod 777 /etc/openvpn/tmp

Restart OpenVPN

/etc/init.d/openvpn restart

And that’s it. Change your client’s settings so that it uses the id/pw method instead of certs and give it a test.

Note:
Even though you are using ID/PW for client auth, the server must still have the server certificates generated. The client will still need to have a local copy of the ca.crt and the dh2048.pem
If the client does not have a valid ca.crt file specified, you will receive an error stating that you must provide a valid path with – – ca.

2 Responses to OpenVPN with ID and Password Authentication on Ubuntu

  1. geezwiz says:

    Great tutorial! This have help me a lot to configure my server.

    However those 4 lines:

    tmp-dir “/etc/openvpn/tmp/”

    plugin /etc/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login

    mkdir /etc/openvpn/tmp

    chmod 777 /etc/openvpn/tmp

    could simply be replaced by

    plugin /etc/openvpn/openvpn-plugin-auth-pam.so login

    in the /etc/openvpn/server.conf for a more secure configuration.

    There are also no need to put “script-security 3” in the /etc/openvpn/server.conf if you only use the line I have just suggested. The “script-security 3” could potentially be unsafe according to the official openvpn doc.

    Thank you!

  2. Mohammad Hashem says:

    what about ubuntu openvpn client configuration to use id/passwd

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
21 + 15 =