OpenVPN client with Username and Password auth

Following on from last week’s post. We now need to setup the client.

Network Manager

The easiest openvpn client is network-manager. If you are using Ubuntu run:

# aptitude install network-manager-openvpn
# restart network-manager

  • Now click on the network-manager applet, select configure VPN, and setup a new open-vpn connection.
  • Set the gateway to you server
  • Set the type to Password
  • Point your CA to a copy of your server’s ca.crt and everything should just work

Everything Else

Linux, Windows and OSX all have ports of OpenVPN, and I have setup the client on each of them. Unless you want to pay for Viscosity on the mac, the chances are you will need a client configuration file.

Attached is a simple client configuration file that will work. Edit it to match your server’s settings where appropriate. You will need this and your ca.crt in the same directory. On Windows the file extenion is “.ovpn”. On linux my file is called /etc/openvpn/client.conf

##############################################
# Sample client-side OpenVPN 2.0 config file.
# for connecting to multi-client server. 
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

dev tun
proto udp

# The hostname/IP and port of the server.
remote my-server-2.domain 1194


# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# Certificate Authority
ca ca.crt

# Username/Password authentication is used on the server
auth-user-pass

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# Set log file verbosity.
verb 3

On linux to start the openvpn client simply type:
# openvpn -config /etc/openvpn/client.conf

To manage the connection on Windows I would suggest using OpenVPN GUI. And either tunnelblick, or Viscosity (non-free) on OSX.

7 thoughts on “OpenVPN client with Username and Password auth

  1. Pingback: OpenVPN server with Username and Password auth « Rob Garth - Mildly Useful Stuff

  2. robg Post author

    I haven’t as yet done that, but I also need to make my setup (Debian) work with PAM. Once I have done that I will post an update.

    Reply
  3. robg Post author

    I think I have found your problem but I have not tested.

    The server config on Debian reads:

    plugin /usr/lib/openvpn/openvpn-auth-pam.so login

    The plugin is in a different place on Fedora. Replace that line with:

    plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login

    Reply
  4. Pier

    Hi all,

    I’m running OPENVPN on Win 7.
    Is there any way to set the client config file to make user and password coming automaticly out when loggin on avoiding the user to manual input them?

    thanks & regards

    Reply
    1. ekerette

      add this line to your .ovpn config file, if it isn’t already there
      “auth-user-pass password.txt” without the quotes.
      save it.
      then in the same folder as your ovpn file create a txt file with the following content
      line 1: username
      line 2: password
      save it (without the line 1 & 2).
      I hope you understand that username is the username you would ordinarily use, password also.
      name the file password.txt which corresponds with your auth-user-pass above.

      I hope this helps

      Reply
      1. Rob Garth Post author

        This is an easy way to handle authentication and I can see a use case. I am just fundamentally opposed to have plain text passwords stored anywhere.

        There is a case for VPN users to not be system users but I would change the PAM conf to handle this (possibly using radius).

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>