8

I am newbie in OpenVPN and I need help to configure server and client .ovpn to use only username/password authentication. Examples of client.ovpn and server.ovpn with be very helpful. Thank's

Here what I done :

server

port 1194
proto udp
dev tun
ca "C:\\OpenVPN\\config\\ca.crt"
cert "C:\\OpenVPN\\config\\server.crt"
key "C:\\OpenVPN\\config\\server.key"  # This file should be kept secret
dh "C:\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client

client
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 188.247.133.19 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert dzoni-block.crt
key dzoni-block.key
ns-cert-type server
comp-lzo
verb 3

Above config works fine. But I want to use only username/password authentication. I have tried to add in server client-cert-not-required , and in client auth-user-pass auth.txt where auth has 2 lines (user/pass) and its not working.

If anyone have configuration that working only with username/password some examples will helps me a lot. Thank's

Sven
  • 98,649
  • 14
  • 180
  • 226
Nikola Serdar
  • 81
  • 1
  • 1
  • 2
  • 1
    Welcome to Server Fault! What have you tried? What did you expect to happen? What happened instead? What does your config look like? Do you have any log entries from the times it didn't work as expected? – Jenny D Jan 26 '16 at 06:37

1 Answers1

1

On the server end, you would need to decide how to authenticate users with a username/password combination.

AFAIK, the most common way is to use openVPN's PAM plugin. For your purposes, you would need to have the following entries in your server.conf:

username-as-common-name
client-cert-not-required

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

You would also need to create a PAM config for openvpn (e.g. /etc/pam.d/openvpn).

If you were using RADIUS to authenticate users, then your PAM config might look like:

account         required        pam_radius_auth.so
account         required        pam_radius_auth.so
auth            required        pam_radius_auth.so no_warn try_first_pass

And you would store the details of the RADIUS server in /etc/pam_radius.conf.

On the client side, your config could be as little as:

client
ca server.pem
dev tun
nobind
comp-lzo
cipher BF-CBC
cipher AES-256-CBC
cipher AES-128-CBC

Just add your remote in there, and it should work.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24