I have written an article OpenVPN over Virtual Private Server (VPS), where only method of authentication is through certificates. In this method you can use username/password authentication method along with certificates.
Before reading this howto please read my previous how to install OpenVPN. You can find it in following two locations.
To use this authentication method, first add the auth-user-pass directive to the client configuration file. You will not find this directive in conf file so u just need to add it bottom of the file. It will direct the OpenVPN client to query the user for a username/password, passing it on to the server over the secure TLS channel.
Next, configure the server to use an authentication plug-in, which may be a script, shared object, or DLL. The OpenVPN server will call the plug-in every time a VPN client tries to connect, passing it the username/password entered on the client.
I used Script for authentication.
Script plug-in can be used by adding the auth-user-pass-verify directive to the server-side configuration file. You need to run your openVPN server as below
# cd /etc/openvpn # cp /root/openvpn-2.1_rc20/sample-scripts/auth-pam.pl /etc/openvpn/ # openvpn --config server.conf --auth-user-pass-verify auth-pam.pl via-file --script-security 2
auth-pam.pl perl script is used to authenticate the username/password of connecting clients. The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password. Ideally, copy auth-pam.pl in /etc/openvpn folder.
When I started the server it started successfully but I got the error. i.e Can’t locate Authen/PAM.pm
For this I did following
# wget <http://www.perl.com/CPAN/authors/id/N/NI NIKIP/Authen-PAM-0.16.tar.gz> # tar xvzf Authen-PAM-0.16.tar.gz # cd Authen-PAM-0.16 # perl Makefile.PL # make && make install # perl -e 'use Authen::PAM; print "Installation succestul.\n"'
Now create an ordinary user
# useradd saif
# passwd saif
And use this username to login on client side.
You can also add –client-cert-not-required directive while starting the openVPN server. In this case you don’t require client certificate, client will authenticate using username/password only but using this directive is less secure than requiring certificates from all clients.