Written on October 29, 2010 at 1:08 am by

OpenVpn Server with Virtual Users

Filed under Linux, SystemAdmin {9 comments}




This may come for handy for a admins who prefers openvpn with virtual users, rather having users auth from ldap / pop.
compile auth-pam from openvpn source

cd /root/openvpn-2.1.3/plugin/auth-pam
make
cp openvpn-auth-pam.so /etc/openvpn/

download & install pam-pam_pwd

pam for virtual user.

cat /etc/pam.d/vuser
auth required pam_pwdfile.so pwdfile /etc/openvpn/users
account required pam_permit.so


Append following in server.conf

plugin /etc/openvpn/openvpn-auth-pam.so “/etc/pam.d/vuser”

Create virtual users using htpasswd.

htpasswd -c -b /etc/openvpn/users linux tux

This is all needs to be done at server end. at client end append following line in client.conf

auth-user-pass


if you find any missing point in here, please let us know in comment section or tweet us at @linuxreaders. To get more articles like this, subscribe to our RSS feeds / Mails.
Read 240 articles by
  • manda

    Sorry to make another comment.. I just kept finding more information. It seems that the included Apache htpasswd does some different non-standard stuff. See comments from “Konstantin Khomoutov ” here: http://cpbotha.net/software/pam_pwdfile/

  • manda

    SOLVED. If you use Ubuntu Server 12.04 and newer you need to use the -d in htpasswd since newer versions seems to use MD5 instead of Crypt that was default before.

    • dpthakar

      thanks for the update. this will definitely help Ubuntu users.

      • manda

        My apologies for the multiple posts too. :-) But yes, it’s definitely solved. Thanks!

  • manda

    Installed and appears to be almost working, except in auth.log I’m getting “pam_pwdfile[6609]: wrong password for user (redacted)” Uh oh. Can’t authenticate. If I change the plugin line in server.conf to use “system-auth” at the end, I can authenticate with my system account, but I can’t auth off of the /etc/openvpn/users file. I *can* use that same htpasswd created file to auth with Apache, though. Just can’t seem to get openvpn to authenticate.

    • dpthakar

      This seems like pam module related problem. here we are using pam module to auth users. Still … 1) make sure you are using same source files for openvpn plugin which you used during installation 2) you have pam_pwdfile.so installed I have tested this with centos 6.3 & openvpn 2.2, it seems working fine.

      • manda

        yeah, there seems to be some problems with pam libraries & the compiler on Ubuntu 12.04.. having problems with another library that uses pam. Not sure what happened. :/ I’m using OpenVPN 2.3 beta1 at the moment. Tried to revert, but the repository that openvpn.net has up seems to be broken. I want to go forward and not backwards anyway. :-) Thanks for the reply! I’ll keep you posted in case someone else runs across the issue.

      • manda

        hmm, i’m having other pam related issues that are strange, so that could be it. 1)i compiled it against the source but my main install is from the openvpn repository deb file. I guess now I could reinstall openvpn from source and try it again. 2)i do have that, yes. :-) This is Ubuntu 12.04, 64 bit. i’ll try a few other things and report back.

      • manda

        OpenVPN 2.3_rc1 (same with 2.2.2) on Ubuntu 12.04, still no luck. — AUTH-PAM: BACKGROUND: received command code: 0 AUTH-PAM: BACKGROUND: USER: testuser AUTH-PAM: BACKGROUND: my_conv[0] query=’Password: ‘ style=1 AUTH-PAM: BACKGROUND: user ‘testuser’ failed to authenticate: Authentication failure Sat Nov 3 17:15:19 2012 us=897519 246.105.151.116:58848 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Sat Nov 3 17:15:19 2012 us=897539 216.177.157.101:58848 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so — auth.log showing: Nov 3 17:28:43 box2 pam_pwdfile[5832]: wrong password for user testuser – (even though I know that it’s the correct password) We can see that it’s using pam_pwdfile. And I’m stuck here. :/ Still trying though!

Trending Posts