openvpn login with user / pass login

最後更新: 2016-06-14

目錄

 * Server Setting
 * Client Setting

 


Server Setting

 

 

server.conf

This instructs the auth-pam module (authentication plugin) to look for the pam responses 'login' and 'password'

The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure (1) or success (0) value.

Centos 6 32bit

...
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
...

/etc/pam.d/openvpn

auth       required     pam_userdb.so db=/etc/openvpn/users debug
account    sufficient   pam_userdb.so db=/etc/openvpn/users debug

options

  • debug           Print debug information.
  • dump            Dump all the entries in the database to the log. Don't do this by default!

  

'verb 5' 時的 log

Wed May  6 12:25:35 2015 x.x.x.x:1030 PLUGIN_CALL: POST /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed May  6 12:25:35 2015 x.x.x.x:1030 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so

status=0 <== 成功

 

其他 log 方式

plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
auth-user-pass-verify /etc/openvpn/vpncheckCN-user.sh via-env
tls-verify "/etc/openvpn/vpncheckCN-cert.sh /etc/openvpn/userlist.txt"

dual authentication

By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication,

requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.

 

 


Client Setting

 

client.ovpn

# 用 "auth-user-pass" 必須要 "pull" / "client"
client
remote x.x.x.x

ca ca.txt

auth-user-pass auth.txt
.......................

 

auth.txt

username
password

Troubleshot

[1]

log

openvpn[68598]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:y

If a tls-auth key is used on the server then every client must also have the key.

tls-auth ta.key 1

[2]

log

openvpn[2411]: x.x.x.x:y Authenticate/Decrypt packet error: cipher final failed

Server 內了較強的加密

cipher AES-128-CBC

 


参考

pam_userdb

http://datahunter.org/pam_userdb