The auth-pam.so plugin

Back to OpenVPN mainpage

Back to extensions

This plugin allows a server-side authentication. Unlike the password protection of the .p12 file, authentication takes place on the server with username and password. This plugin supports Pam authentications.

This example will be demonstrated with the already existing Unix PAM module pam_unix.so (findable under the directory /lib/security) and a new profile under the directory /etc/pam.d. In addition, a new group for OpenVPN users will be created in there, the user credentials will be stored by the use of passwd.

Additional configuration entries in server.conf and client.ovpn will be supplemented over the "Additional configuration" section to make changes on OpenVPNs server.conf and client.ovpn permanently.

1. Add a new profile in /etc/pam.d

  • In the first step the openvpn profile should be created with a:
touch /etc/pam.d/openvpn
  • This profile was filled with the following content:
auth    required        pam_unix.so    shadow    nodelay
account required        pam_unix.so
  • There is lots information on the internet for this theme but for a short overview PAM Essentials can deliver information about session management and PAM.

2. Create a group called "openvpn" and create one new user with a password.

  • The group can be created over the console/terminal with a:
groupadd openvpn
  • The user, named "testuser" in this example, can be created with the following commands:
useradd -g "openvpn" -s /bin/false testuser     # creates the user to the group openvpn without shell access
passwd testuser                                 # set a password for this user

3. Prepared arrangements need to be integrated into the OpenVPN configuration files

The following directives should be added to the file /var/ipfire/ovpn/server.conf:

# Additional config directives
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

In this case, the plugin will be called over the absolute path which queries then also the before created PAM profile "openvpn".

File: client.ovpn

# Additional config directives
auth-user-pass

This entry initiates the call to the client-side account query.

Note!
To make those changes permanent, IPFire delivers since core 89 a feature called "Additional configuration" which you can activate over the "Advanced server options" in IPFires webuserinterface. You need to set manually the above explained entries into server.conf.local and/or client.conf.local findable under the path /var/ipfire/ovpn/scripts . For further explanation, take a look into --> "Additional configuration" section.

Back to extensions

Back to OpenVPN mainpage

Edit Page ‐ Yes, you can edit!

Older Revisions • December 9 at 10:42 pm • Jon