Support OpenVPN client with password

Suggest improvements and new features for Gargoyle.

Moderator: Moderators

Post Reply
jkemenade
Posts: 21
Joined: Mon Nov 12, 2012 4:15 am

Support OpenVPN client with password

Post by jkemenade »

Hi,

Is it possible to also enable client passwords when defining OpenVPN configuration?
I would like that client-server connection not only relies on having the right certificates available, but ALSO having the proper knowledge.

For example, I am carrying an USB-stick with OpenVPN client (portable) to remotely access my home network. But if I loose the stick (or someone copies the config), anyone can access my network... Therefore, I'd like to have the option to requested for a password.

John

raiko
Posts: 31
Joined: Mon Jun 06, 2011 1:50 am

Re: Support OpenVPN client with password

Post by raiko »

Supporting Openvpn client username/password authentication would be great!

Thanks!

User avatar
kk003
Posts: 1
Joined: Sun Mar 16, 2014 12:00 pm
Contact:

Re: Support OpenVPN client with password

Post by kk003 »

This information comes a bit late, sorry.
This directive:
auth-user-pass

authenticates by username and password if included in the configuration file of the client.
In the above manner and running openvpn my_configfile.conf
asks you to enter the data manually.
You need to write a text file and save it to your router:

Code: Select all

my_username 
my_password

Save it as user_data.txt
Then add this line to your client configuration:
auth-user-pass /path_to_file/user_data.txt
and authentication process no longer requires user intervention

trybowski
Posts: 5
Joined: Sat Nov 22, 2014 6:52 pm

Re: Support OpenVPN client with password

Post by trybowski »

I support this wish.

rseiler
Posts: 208
Joined: Sun Dec 15, 2013 12:31 am

Re: Support OpenVPN client with password

Post by rseiler »

@kk003, that requires the cooperation of the server. I'm unsure if the version of OpenVPN server that we have supports it yet, or if there's any way to jury-rig it to make it so.

Update:
I found a script that makes it possible (see below). It works for me.

Some notes relative to the steps below:
1) WinSCP does the trick for that also.
2) I put it in /etc/openvpn
3) He doesn't meant to actually include the brackets
4) Yes, be sure to do that. I kept the log path at /var/log.
5) Ours is /etc/openvpn/server.conf, and in it do use the full path to ovpnauth.sh.
6) In reference to your user.ovpn file that you download from Gargoyle and use with the PC client.

https://github.com/troydm/ovpnauth.sh

Just in case that disappears:
OpenVPN sh authentication script with simple user db
for use withauth-user-pass-verify via-file option

It's a simple sh shell script that is target at consumer routers that dont't
have perl or any other scripting languages installed on them,
but need a simple ovpn authentication

LICENSE
-----------------------------------
NONE

INSTALL
------------------------------------
1) copy ovpnauth.sh script to your server,
make it executable (chmod +x) and make sure you can execute it

2) create a file named ovpnauth.conf and put it inside for example
/usr/local/etc/

3) for each user you want to register
3a) compute md5 checksum using this ovpnauth.sh md5 password
3b) add line in your ovpnauth.conf that reads like this:
username=[computed-md5-password]
where [computed-md5-password] is md5 checksum you computed

4) edit ovpnauth.sh and make sure your conf path (path to ovpnauth.conf) is correct
4a) (optional) you can change your logfile path

5) now in your openvpn.conf add this options
script-security 2
auth-user-pass-verify ovpnauth.sh via-file
also you can replace ovpnauth.sh with full path to your ovpnauth script

6) Enjoy sh shell based OpenVPN authentication
and don't forget to specify auth-user-pass option in
your openvpn client config

Code: Select all

#!/bin/sh

# Config parameters

conf="/usr/local/etc/ovpnauth.conf"
logfile="/var/log/ovpnauth.log"

# End of config parameters

if [ "$1" = "" ] || [ "$1" = "help" ]
then
	echo "ovpnauth.sh v0.1 - OpenVPN sh authentication script with simple user db"
	echo "                   for use withauth-user-pass-verify via-file option"
	echo ""
	echo "help - prints help"
	echo "md5 password - to compute password md5 checksum"
	exit 1
fi

md5(){
        echo "$1.`uname -n`" > /tmp/$$.md5calc
        sum="`md5sum /tmp/$$.md5calc | awk '{print $1}'`"
        rm /tmp/$$.md5calc
        echo "$sum"
}

if [ "$1" = "md5" ]
then
        echo `md5 $2`
	exit 1
fi

log(){
	echo "`date +'%m/%d/%y %H:%M'` - $1" >> $logfile
}

logenv(){
	enviroment="`env | awk '{printf "%s ", $0}'`"
	echo "`date +'%m/%d/%y %H:%M'` - $enviroment" >> $logfile
}

envr="`echo `env``"
userpass=`cat $1`
username=`echo $userpass | awk '{print $1}'`
password=`echo $userpass | awk '{print $2}'`

# computing password md5
password=`md5 $password`
userpass=`cat $conf | grep $username= | awk -F= '{print $2}'`

if [ "$password" = "$userpass" ] 
then
	log "OpenVPN authentication successfull: $username"
	logenv
	exit 0
fi

log "OpenVPN authentication failed"
log `cat $1`
logenv
exit 1

pbrm
Posts: 5
Joined: Sun Apr 06, 2014 6:24 am

Re: Support OpenVPN client with password

Post by pbrm »

Sorry for my late response. I was looking all over the net to configure my openvpn server with password access, when i read this article. My question is how do i do this in putty:
"compute md5 checksum using this ovpnauth.sh md5 password"

rseiler
Posts: 208
Joined: Sun Dec 15, 2013 12:31 am

Re: Support OpenVPN client with password

Post by rseiler »

Go to where the script is (per an earlier step, you've already made it executable):
./ovpnauth.sh md5 password

pbrm
Posts: 5
Joined: Sun Apr 06, 2014 6:24 am

Re: Support OpenVPN client with password

Post by pbrm »

Thank you, working great now.

rseiler
Posts: 208
Joined: Sun Dec 15, 2013 12:31 am

Re: Support OpenVPN client with password

Post by rseiler »

The above still works with 1.12, though I have a feeling there's a better way by now. If anyone's heard of one....

Post Reply