I have written an article OpenVPN over Virtual Private Server (VPS), where only method of authentication is through certificates. In this method you can use username/password authentication method along with certificates.

Before reading this howto please read my previous how to install OpenVPN. You can find it in following two locations.

1. http://www.wbitt.com/contributed-howtos/145-openvpn-over-virtual-private-server-vps.html
2. http://saifurab.blogspot.com/2009/12/openvpn-over-virtual-private-server-vps.html

To use this authentication method, first add the auth-user-pass directive to the client configuration file. You will not find this directive in conf file so u just need to add it bottom of the file. It will direct the OpenVPN client to query the user for a username/password, passing it on to the server over the secure TLS channel.

Next, configure the server to use an authentication plug-in, which may be a script, shared object, or DLL. The OpenVPN server will call the plug-in every time a VPN client tries to connect, passing it the username/password entered on the client.

I used Script for authentication.

Script plug-in can be used by adding the auth-user-pass-verify directive to the server-side configuration file. You need to run your openVPN server as below

# cd /etc/openvpn  
# cp /root/openvpn-2.1_rc20/sample-scripts/auth-pam.pl /etc/openvpn/  
# openvpn --config server.conf --auth-user-pass-verify auth-pam.pl via-file --script-security 2

auth-pam.pl perl script is used to authenticate the username/password of connecting clients. The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password. Ideally, copy auth-pam.pl in /etc/openvpn folder.

When I started the server it started successfully but I got the error. i.e Can’t locate Authen/PAM.pm

For this I did following

# wget <http://www.perl.com/CPAN/authors/id/N/NI NIKIP/Authen-PAM-0.16.tar.gz>  
# tar xvzf Authen-PAM-0.16.tar.gz  
# cd Authen-PAM-0.16  
# perl Makefile.PL  
# make && make install  
# perl -e 'use Authen::PAM; print "Installation succestul.\n"'

Now create an ordinary user

# useradd saif
# passwd saif

And use this username to login on client side.

You can also add –client-cert-not-required directive while starting the openVPN server. In this case you don’t require client certificate, client will authenticate using username/password only but using this directive is less secure than requiring certificates from all clients.