Index

How to use user/password authentication with OpenVPN on FreeBSD

November 2014.
Image The FreeBSD logo

2014-11-03.

Configure the system


To use a textfile password database, install pam_pwdfile:

make -C /usr/ports/security/pam_pwdfile install clean

Generate your password using OpenSSL or anything else.

openssl passwd -crypt superpassword

Populate /usrl/local/etc/ovpn/passwd with your user/password database.

guest1:VgocPdscg2SzY
guest2:2aRomUmF3ALJU
guest3:fW4lUmBwz56Rg
guest4:Rcf3wcHgMhPkM
guest5:9CVFYqvOjgw.Y

Configure pam in /etc/pam.d/openvpn:

auth            required        /usr/local/lib/pam_pwdfile.so pwdfile=/usr/local/etc/ovpn/passwd
account         required        pam_permit.so
session         required        pam_permit.so
password        required        pam_deny.so

To test your PAM setup, install pamtester and use it.

# make -C /usr/ports/security/pamtester install clean
[...]

# pamtester -v openvpn guest1 authenticate
pamtester: invoking pam_start(openvpn, guest1, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated

On your server configuration file, add:

plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
duplicate-cn   #add this if you want to have multiple connections using the same certificate. Otherwise, they'all get the same IP and you'll have problems.

On your clients, add:

auth-user-pass

LDAP Auth


Instal pam_ldap.

make -C /usr/ports/security/pam_ldap install clean

Create a configuration file, for example: /usr/local/etc/ovpn/ldap.conf, and populate it as usual.

host ldap-server.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=pam,ou=services,dc=example,dc=com
bindpw DY5K82cG5avkCkz
port 389
scope sub
bind_timelimit 10
bind_policy soft
pam_filter objectclass=inetOrgPerson
pam_login_attribute uid
pam_password exop
nss_base_passwd         ou=people,dc=example,dc=com
nss_base_group          ou=group,dc=example,dc=com

To have your users be able to authenticate using both the text files and LDAP, use a configuration like this one:

auth            sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/ovpn/ldap.conf
auth            required        /usr/local/lib/pam_pwdfile.so pwdfile=/usr/local/etc/ovpn/passwd
account         required        pam_permit.so
session         required        pam_permit.so
password        required        pam_deny.so

Otherwise, create your PAM configuration as usual.