Add basic authentication / password to OpenVPN certificate

3 Comments

Issue: How can I add basic authentication / password to my OpenVPN connection featuring certificates?

There are quite a lot of tutorials on how to set up your own VPN server. An excellent tutorial has been published by DigitalOcean. However this (and nearly every other) tutorial feature a secure connection by either certificates or user credentials. A combined approach is hardly to be found. This post shows how to enable basic authentication additionally to certificates using OpenVPN.

Prerequisites

Before you start adding basic authentication, make sure you are already able to connect by certificates. The DigitalOcean tutorial is a great place to get started, as I will not cover the initial setup of a VPN server.

Step 1 – Plugging a module

To achieve basic authentication, we need a way to validate the sent credentials. An easy way to do this, is using PAM. This acronym stands for Pluggable Authentication Modules and provides an infrastructure to authenticate users by configurable modules (e.g. Samba, LDAP, Kerberos, etc.). We will be using PAM to authenticate against registered users on our host system. So you will be able to use the same credentials for the VPN connection as you do on your host. Feel free to add a dedicated user to your system exclusively for VPN connections.

Create a new file /etc/pam.d/openvpn and insert the following two lines:

auth    required        pam_unix.so    shadow    nodelay
account required        pam_unix.so

This will allow OpenVPN to authenticate against PAM.

Step 2 – Configuring OpenVPN

OpenVPN does not care for another level of authentication at this point. To change this behaviour, edit the /etc/openvpn/server.conf file and add this line somewhere, advisable on the top:

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
Depending on your host system, the plugin may have a different name. Above solution is based on Raspbian. For Ubuntu it’s openvpn-auth-pam.so – have a look at the directory on your host to be sure.

After a restart of the corresponding service the server will not accept a certificate without basic authentication.

service openvpn restart

Now we’ll need the client to open a prompt for credentials when initiating a connection. To achieve this, edit your client config file (most likely a .ovpn file) and add this line somewhere:

auth-user-pass

On your next connection you will need your certificate, as well as credentials of a registered user.

Editing the .ovpn file on a Windows client should instantly have an effect. When using the official Android client, you will have to reimport the client config for changes to appear.

3 Comments

  1. Harry Jaeger

    Hi, great tutorial but there is a missing part in Step 2:
    “service openvpn restart”. I think you pasted the wrong line here.
    Please update the line. I really want to know how it is done. 😀

    Cheers
    Harry

    Reply

    • Tobey

      Hi Harry,

      sorry for getting back so late. I updated the post. Somehow the code-snippet plugin in WordPress is broken and the line was replaced. I added the line as a basic type of text:
      plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

  2. Your ideas absolutely shows this site could easily be one of the bests in its niche. Drop by my website FQ7 for some fresh takes about Airport Transfer. Also, I look forward to your new updates.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *