In a recent post, we did a step by step on installing OpenVPN to an Ubuntu server 12.04/14.04. https://www.slsmk.com/getting-started-with-openvpn/
The default install used certificate based authentication for the client. So if the client has the proper files, it can connect to the server.
So lets say you want to use an ID and Password instead of a client cert. Although it is less secure than the cert method, it is much easier to administer. Plus, in certain instances, such as a VPN provider, the creation and delivery of certs to the end user may cause alot of confusion and result in hours of support calls.
Building off of the previous example, lets change to server to use id/pw from the local user list instead of client certs.
This is done through a plugin that is provided with OpenVpn in the Ubuntu package.
Start by copying the required plugin to the openvpn directory
For Ubuntu 12.04
cp /usr/lib/openvpn/openvpn-auth-pam.so /etc/openvpn/
Now edit the /etc/openvpn/server.conf file and add the following:
client-cert-not-required username-as-common-name tmp-dir "/etc/openvpn/tmp/" plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login
For Ubuntu 14.04
cp /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/openvpn/
Now edit the /etc/openvpn/server.conf file and add the following:
client-cert-not-required username-as-common-name tmp-dir "/etc/openvpn/tmp/" plugin /etc/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login
Create the temp directory mentioned above and allow all writes to it:
mkdir /etc/openvpn/tmp chmod 777 /etc/openvpn/tmp
Restart OpenVPN
/etc/init.d/openvpn restart
And that’s it. Change your client’s settings so that it uses the id/pw method instead of certs and give it a test.
Note:
Even though you are using ID/PW for client auth, the server must still have the server certificates generated. The client will still need to have a local copy of the ca.crt and the dh2048.pem
If the client does not have a valid ca.crt file specified, you will receive an error stating that you must provide a valid path with – – ca.
Great tutorial! This have help me a lot to configure my server.
However those 4 lines:
tmp-dir “/etc/openvpn/tmp/”
plugin /etc/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/login
mkdir /etc/openvpn/tmp
chmod 777 /etc/openvpn/tmp
could simply be replaced by
plugin /etc/openvpn/openvpn-plugin-auth-pam.so login
in the /etc/openvpn/server.conf for a more secure configuration.
There are also no need to put “script-security 3” in the /etc/openvpn/server.conf if you only use the line I have just suggested. The “script-security 3” could potentially be unsafe according to the official openvpn doc.
Thank you!
what about ubuntu openvpn client configuration to use id/passwd