[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] New Username/Password Authentication Mode

  • Subject: [Openvpn-users] New Username/Password Authentication Mode
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Mon, 18 Oct 2004 06:48:53 -0000

This idea was proposed a few months ago, and I initially thought it would be a
post-2.0 thing, but it turned out to be easier than I thought to implement, so
you will find it in the just-released 2.0-beta12.

Some background: Since OpenVPN 1.0, TLS mode always involved the client and
server authenticating each other using a certificate/private key pair.  While
this provides good security, it is not strictly necessary that the client
authenticate itself to the server using certificates.  In many cases it might
be more convenient to use "Asymmetrical Authentication" where only the the
server authenticates itself to the client with a signed certificate while the
client authenticates itself to the server with a username/password 
(incidentally, this authentication model is the basis for most of the
e-commerce and online finance sites on the web). 

In some cases it might also be desirable to use double client-side
authentication, i.e. have the client present a certificate to the server AND a

All of these options are now possible, and the server config can specify which
combination is required: username/password without a client certificate,
username/password plus client certificate, or client certificate alone.

To use:

* Add --auth-user-pass option to client config.  Add a optional filename
argument (user/pass on two lines in the file) or omit for console prompt.

* Once you've added --auth-user-pass to the client config, you no longer need
to provide --cert and --key files, however you should still include them if
the server you are connecting to requires double authentication.

* In the server config, add --auth-user-pass-verify ./script.  OpenVPN will
call this script on the server side with the username and password which were
provided by the client.  The user/pass will be saved in the environment under
the "username" and "password" variable names.  The script then returns success
(0) if it approves of the username/password or (1) if it disapproves.  On
approval the tunnel will begin passing data immediately.  On disapproval, the
server will send an "Auth Failure" message back to the client which will be
shown in the log file and cause the client to exit.

* The server config has two optional flags.  --client-cert-not-required tells
the server that clients don't need to present a certificate, i.e. a
username/password by itself is sufficient.  By default, if
--auth-user-pass-verify is used without --client-cert-not-required, then
double authentication will be required, i.e. the client must present a cert
AND username/password.

* The other optional server-side flag is --username-as-common-name.  This
tells OpenVPN, on successful authentication using a username/password, to use
the username as the "common name", in order to identify the client in
log/status file listings or when --client-config-dir is used.

As you can see, this is a basic infrastructure which still requires a script
plug-in on the server side to perform the username/password verification.

If you download the tarball, you will find a perl script in
sample-scripts/auth-pam.pl which will do PAM authentication on a *nix system.
 You can use this script along with the --auth-user-pass-verify directive on
the server.

It was pretty cool to run it for the first time, I was actually able to start
a VPN to my server without any client-side certificate, using only my standard
Linux login username/password.

This feature also creates the possibility of constructing "Anonymous VPNs". 
Suppose you want to create a public access VPN which allows anyone to connect
using a standard config file.  Just use the "true" shell command as your
--auth-user-pass-verify script.

For more info, see the man page.


Openvpn-users mailing list