search

lixuewei / rt-n56u

Automatically exported from code.google.com/p/rt-n56u
0 stars 0 forks source link

OpenVPN with username + password authentication #1159

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
I'm using OpenVPN with L2-TAP encapsulation layeer but there is no option to 
use username + password authentication in the current version.

I want to use something like this (in the extended server configuration):

 auth-user-pass-verify    auth-pam.pl    via-file

but it doesn't work with those parameters.

How can I configure it to use the current usernames and passwords 
authentication ? (seen in PPTP/L2TP)

Original issue reported on code.google.com by hatvanil...@gmail.com on 10 Feb 2014 at 7:37

GoogleCodeExporter commented 9 years ago 
You should read openvpn documentation a little on this. Basically you'll need 
some script (I think it shouldn't be perl script) or binary file, which will 
return 0 on correct username/password and 1 otherwise.

in the config file:
...
username-as-common-name
auth-user-pass-verify check-auth.sh via-file
client-cert-not-required
...

Some time ago I used smth. like the following (check-auth.sh):
---------------------------------------------------------
#!/bin/sh
secrets=/etc/openvpn/secrets
ret=1
# read username from the first line of temp file, created by openvpn
# ONLY LATIN CHARACTERS, NUMBERS and "_" is allowed to use for username
username=$(sed -n '1s/^\s*//;1s/\s*$//;1s/[^a-zA-Z0-9\_]//g;1s/.*/&/p' "$1")
# compare password hashes
[ "`sed -n 's/^\s*//;s/\s*$//;s/^'"${username}"'\s*//p' "${secrets}" | md5sum`" 
\
        == "`sed -n '2s/^\s*//;2s/\s*$//;2s/.*/&/p' "$1" | md5sum`" ] && ret=0
exit ${ret}
------------------------------------------------------

Original comment by ser...@soulblader.com on 23 Feb 2014 at 6:54

GoogleCodeExporter commented 9 years ago 
Thanks for the answer.
Is this "/etc/openvpn/secrets" file the one used in pptp and l2tp ? I don't see 
it when connecting to the router via telnet.
Can I use the same pw/auth as in the other vpn servers ?

Original comment by hatvanil...@gmail.com on 24 Feb 2014 at 12:27

GoogleCodeExporter commented 9 years ago 
No, it is not. You should create it with any logic you want, but then you 
should modify a script, which is used to check auth.
For example, you can put it to: /etc/storage/openvpn/server/secrets.

`username-as-common-name' means that username will be picked from client public 
certificate, CN section.

Original comment by d...@soulblader.com on 24 Feb 2014 at 4:47