Hi,
Is it possible to also enable client passwords when defining OpenVPN configuration?
I would like that client-server connection not only relies on having the right certificates available, but ALSO having the proper knowledge.
For example, I am carrying an USB-stick with OpenVPN client (portable) to remotely access my home network. But if I loose the stick (or someone copies the config), anyone can access my network... Therefore, I'd like to have the option to requested for a password.
John
Support OpenVPN client with password
Moderator: Moderators
Re: Support OpenVPN client with password
Supporting Openvpn client username/password authentication would be great!
Thanks!
Thanks!
Re: Support OpenVPN client with password
This information comes a bit late, sorry.
This directive:
authenticates by username and password if included in the configuration file of the client.
In the above manner and running openvpn my_configfile.conf
asks you to enter the data manually.
You need to write a text file and save it to your router:
Save it as user_data.txt
Then add this line to your client configuration:
This directive:
auth-user-pass
authenticates by username and password if included in the configuration file of the client.
In the above manner and running openvpn my_configfile.conf
asks you to enter the data manually.
You need to write a text file and save it to your router:
Code: Select all
my_username
my_password
Save it as user_data.txt
Then add this line to your client configuration:
and authentication process no longer requires user interventionauth-user-pass /path_to_file/user_data.txt
Re: Support OpenVPN client with password
I support this wish.
Re: Support OpenVPN client with password
@kk003, that requires the cooperation of the server. I'm unsure if the version of OpenVPN server that we have supports it yet, or if there's any way to jury-rig it to make it so.
Update:
I found a script that makes it possible (see below). It works for me.
Some notes relative to the steps below:
1) WinSCP does the trick for that also.
2) I put it in /etc/openvpn
3) He doesn't meant to actually include the brackets
4) Yes, be sure to do that. I kept the log path at /var/log.
5) Ours is /etc/openvpn/server.conf, and in it do use the full path to ovpnauth.sh.
6) In reference to your user.ovpn file that you download from Gargoyle and use with the PC client.
https://github.com/troydm/ovpnauth.sh
Just in case that disappears:
Update:
I found a script that makes it possible (see below). It works for me.
Some notes relative to the steps below:
1) WinSCP does the trick for that also.
2) I put it in /etc/openvpn
3) He doesn't meant to actually include the brackets
4) Yes, be sure to do that. I kept the log path at /var/log.
5) Ours is /etc/openvpn/server.conf, and in it do use the full path to ovpnauth.sh.
6) In reference to your user.ovpn file that you download from Gargoyle and use with the PC client.
https://github.com/troydm/ovpnauth.sh
Just in case that disappears:
OpenVPN sh authentication script with simple user db
for use withauth-user-pass-verify via-file option
It's a simple sh shell script that is target at consumer routers that dont't
have perl or any other scripting languages installed on them,
but need a simple ovpn authentication
LICENSE
-----------------------------------
NONE
INSTALL
------------------------------------
1) copy ovpnauth.sh script to your server,
make it executable (chmod +x) and make sure you can execute it
2) create a file named ovpnauth.conf and put it inside for example
/usr/local/etc/
3) for each user you want to register
3a) compute md5 checksum using this ovpnauth.sh md5 password
3b) add line in your ovpnauth.conf that reads like this:
username=[computed-md5-password]
where [computed-md5-password] is md5 checksum you computed
4) edit ovpnauth.sh and make sure your conf path (path to ovpnauth.conf) is correct
4a) (optional) you can change your logfile path
5) now in your openvpn.conf add this options
script-security 2
auth-user-pass-verify ovpnauth.sh via-file
also you can replace ovpnauth.sh with full path to your ovpnauth script
6) Enjoy sh shell based OpenVPN authentication
and don't forget to specify auth-user-pass option in
your openvpn client config
Code: Select all
#!/bin/sh
# Config parameters
conf="/usr/local/etc/ovpnauth.conf"
logfile="/var/log/ovpnauth.log"
# End of config parameters
if [ "$1" = "" ] || [ "$1" = "help" ]
then
echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
echo " for use withauth-user-pass-verify via-file option"
echo ""
echo "help - prints help"
echo "md5 password - to compute password md5 checksum"
exit 1
fi
md5(){
echo "$1.`uname -n`" > /tmp/$$.md5calc
sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
rm /tmp/$$.md5calc
echo "$sum"
}
if [ "$1" = "md5" ]
then
echo `md5 $2`
exit 1
fi
log(){
echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}
logenv(){
enviroment="`env | awk '{printf "%s ", $0}'`"
echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}
envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`
# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`
if [ "$password" = "$userpass" ]
then
log "OpenVPN authentication successfull: $username"
logenv
exit 0
fi
log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1
Re: Support OpenVPN client with password
Sorry for my late response. I was looking all over the net to configure my openvpn server with password access, when i read this article. My question is how do i do this in putty:
"compute md5 checksum using this ovpnauth.sh md5 password"
"compute md5 checksum using this ovpnauth.sh md5 password"
Re: Support OpenVPN client with password
Go to where the script is (per an earlier step, you've already made it executable):
./ovpnauth.sh md5 password
./ovpnauth.sh md5 password
Re: Support OpenVPN client with password
Thank you, working great now.
Re: Support OpenVPN client with password
The above still works with 1.12, though I have a feeling there's a better way by now. If anyone's heard of one....