This post basically adds onto the steps outlined in the previous post. By adding username/password authentication, you are essentially providing a two factor authentication mechanism to your openvpn server. The client would need a usable client certificate and key to authenticate itself to the server, as well as provide a valid username and password.
We have already discussed using certifcate authentication in the previous post so i wont be going over that here. To add the user/pass mechanism we would be adding to our already existing configuration files one or two lines.
In the server config file, add the following:
plugin /usr/lib/openvpn/openvpn-atuh-pam.so system-auth
On the server create a group called vpn
# groupadd vpn
Then we can create each user:
# useradd -s /bin/false -g vpn vpntest // this creates the user and puts them in the vpn group
# passwd vpntest // gives the user vpntest a password for authentication
On the client config file, add the following:
auth-user-pass
pull
Thats it. Keep in mind that we were adding to our config files from the previous post, so it is presumed that you already have a working openvpn server that accepts client key/certificate authentication
Resources/Good Reading:
http://www.uno-code.com/?q=node/120
No comments:
Post a Comment