This plugin allows a server-side authentication. Unlike the password protection of the .p12 file, authentication takes place on the server with username and password. This plugin supports Pam authentications.
This example will be demonstrated with the already existing Unix PAM module pam_unix.so (findable under the directory /lib/security) and a new profile under the directory /etc/pam.d. In addition, a new group for OpenVPN users will be created in there, the user credentials will be stored by the use of passwd.
Additional configuration entries in server.conf.local and client.conf.local under the directory /var/ipfire/ovpn/scripts will be supplemented over the "Additional configuration" section to make changes on OpenVPNs server.conf and client.ovpn permanently.
1. Add a new profile in /etc/pam.d
- In the first step the openvpn profile should be created with a:
touch /etc/pam.d/openvpn
- This profile was filled with the following content:
auth required pam_unix.so shadow nodelay
account required pam_unix.so
- There is lots information on the internet for this theme but for a short overview PAM Essentials can deliver information about session management and PAM.
2. Create a group called "openvpn" and create one new user with a password.
- The group can be created over the console/terminal with a:
groupadd openvpn
- The user, named "testuser" in this example, can be created with the following commands:
useradd -g "openvpn" -s /bin/false testuser # creates the user to the group openvpn without shell access
passwd testuser # set a password for this user
3. Prepared arrangements need to be integrated into the OpenVPN configuration files
The following directives should be added to the file /var/ipfire/ovpn/scripts/server.conf.local:
# Additional config directives
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
In this case, the plugin will be called over the absolute path which queries then also the before created PAM profile "openvpn".
and the following directives to the file /var/ipfire/ovpn/scripts/client.conf.local:
# Additional config directives
auth-user-pass
This entry initiates the call to the client-side account query.
| Note! |
|---|
To make those changes permanent, IPFire delivers since core 89 a feature called "Additional configuration" which you can activate over the "Advanced server options" in IPFires webuserinterface. You need to set manually the above explained entries into server.conf.local and/or client.conf.local findable under the path /var/ipfire/ovpn/scripts . For further explanation, take a look into --> "Additional configuration" section. |