Issue: How can I add basic authentication / password to my OpenVPN connection featuring certificates?
There are quite a lot of tutorials on how to set up your own VPN server. An excellent tutorial has been published by DigitalOcean. However this (and nearly every other) tutorial feature a secure connection by either certificates or user credentials. A combined approach is hardly to be found. This post shows how to enable basic authentication additionally to certificates using OpenVPN.
Before you start adding basic authentication, make sure you are already able to connect by certificates. The DigitalOcean tutorial is a great place to get started, as I will not cover the initial setup of a VPN server.
Step 1 – Plugging a module
To achieve basic authentication, we need a way to validate the sent credentials. An easy way to do this, is using PAM. This acronym stands for Pluggable Authentication Modules and provides an infrastructure to authenticate users by configurable modules (e.g. Samba, LDAP, Kerberos, etc.). We will be using PAM to authenticate against registered users on our host system. So you will be able to use the same credentials for the VPN connection as you do on your host. Feel free to add a dedicated user to your system exclusively for VPN connections.
Create a new file /etc/pam.d/openvpn and insert the following two lines:
auth required pam_unix.so shadow nodelay account required pam_unix.so
This will allow OpenVPN to authenticate against PAM.
Step 2 – Configuring OpenVPN
OpenVPN does not care for another level of authentication at this point. To change this behaviour, edit the /etc/openvpn/server.conf file and add this line somewhere, advisable on the top:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
After a restart of the corresponding service the server will not accept a certificate without basic authentication.
service openvpn restart
Now we’ll need the client to open a prompt for credentials when initiating a connection. To achieve this, edit your client config file (most likely a .ovpn file) and add this line somewhere:
On your next connection you will need your certificate, as well as credentials of a registered user.