This plugin allows a server-side authentication. Unlike the password protection of the .p12 file, authentication takes place on the server with username and password. This plugin supports Pam authentications.
This example will be demonstrated with the already existing Unix PAM module pam_unix.so (findable under the directory
/lib/security) and a new profile under the directory
/etc/pam.d. In addition, a new group for OpenVPN users will be created in there, the user credentials will be stored by the use of passwd.
Additional configuration entries in server.conf.local and client.conf.local under the directory
/var/ipfire/ovpn/scripts will be supplemented over the "Additional configuration" section to make changes on OpenVPNs server.conf and client.ovpn permanently.
1. Add a new profile in
auth required pam_unix.so shadow nodelay account required pam_unix.so
2. Create a group called "openvpn" and create one new user with a password.
useradd -g "openvpn" -s /bin/false testuser # creates the user to the group openvpn without shell access passwd testuser # set a password for this user
3. Prepared arrangements need to be integrated into the OpenVPN configuration files
The following directives should be added to the file
# Additional config directives plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
In this case, the plugin will be called over the absolute path which queries then also the before created PAM profile "openvpn".
and the following directives to the file
# Additional config directives auth-user-pass
This entry initiates the call to the client-side account query.
|To make those changes permanent, IPFire delivers since core 89 a feature called "Additional configuration" which you can activate over the "Advanced server options" in IPFires webuserinterface. You need to set manually the above explained entries into server.conf.local and/or client.conf.local findable under the path