Thursday, May 12, 2016

enable pam authentication on openvpn

- follow the how-to in the following link, then you will get a working openvpn server and use only certificate and keys to authenticate.
http://www.atechnote.com/2015/02/configure-openvpn-for-remote-access-user.html

so in order to enable pam authentication we have to re-adjust configuration on both server and client

*** on open vpn server
1- modify openvpn server configuration /etc/openvpn/server.conf as below
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 3.1.1.0 255.255.255.0"
push "route 4.1.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD"



2-  restart openvpn service to make the new modification take affect
$ sudo /etc/init.d/openvpn restart

3- create new user, user1 , password, pass1
$ sudo useradd -m user1
$ sudo passwd user1


*** on client side ***
1- create file /etc/openvpn/auth.txt with the following content
user1
pass1

2- modify openvpn configuration file as below
client
dev tun
proto udp
remote 10.0.3.121 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user1.crt
key user1.key
remote-cert-tls server
comp-lzo
verb 3

auth-user-pass auth.txt

3-  restart the openvpn service then when it successfully authentication, it will create a new tun interface that act as the entry point of the tunnel
$ sudo /etc/init.d/openvpn restart

No comments:

Post a Comment