What's new

Openvpn server how to set password challenging

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mistermoonlight

Regular Contributor
I have setup an autologin openvpn server on my router that is using tls with certificates to autolog with the openvpn laptop client.

The setup is working fine.

Now i want to add a password on the server so when the client connects, it does not complete without asking for a password 1st. The reason of this is that i want to install the client on a business computer and don't want that coworkers can log on my network from that station without knowing the password.

I want to use both the tls with certificates and the password (password is not enough because i don't want anybody guessing the password log to my server).

Where can i define that password in openvpn server in Rmerlin asus gui and is there something that i have to change for the client also to make things work?

Thanks
 
Why not password-protect your key instead? Will be more secure, and simpler to handle.

Use build-key-pass instead of build-key when generating your client key.
 
Ok

I finally figure out a way to do this on the server and report the info here in case it is usefull for someone else:

1- Create a script like this in a telnet session with the router:
echo '#!/bin/sh
user1="User1name"
pass1="User1psw"
test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
exit 1' > /jffs/quickAuth.sh
chmod 755 /jffs/quickAuth.sh

2- Than enter these lines in the custom configuration section of the openvpn server section:

script-security 3
auth-user-pass-verify /jffs/quickAuth.sh via-env

3- Then in the openvpn client config file, i added this line:

auth-user-pass

4-So i have a tls config with certificates, added extra HMAC authorisation with static key and the password authorization so i am the only guy who could connect to the server from the client side. To login the client enter "User1name"/"User1psw" when prompted on the openvpn client side (windows laptop in my case)

Everything is working fine.. :)


RMerlin said:
Why not password-protect your key instead? Will be more secure, and simpler to handle.

Use build-key-pass instead of build-key when generating your client key.
RMerlin, what would be the difference if i password protect the key instead of this? And would be the config option for the openvpn gui to ask for the password (is it automatic when the key is password protected)?

Thanks
 
Last edited:
RMerlin, what would be the difference if i password protect the key instead of this? (protect the client key i guess?) and would be the config option for the openvpn gui to ask for the password (is it automatic when the key is password protected)?

Thanks

With a password-protected client key, you have zero changes to make to the server. You just need to generate client keys that are password-protected. That means before the OpenVPN client is able to use a key, it will ask the user for the password so the key can be decrypted, and used by the client. So, this adds an extra layer of security - by encrypting all client keys.

I never tested it myself so I can't give you the details on how the OpenVPN client prompts the password, but give it a try. It's a better (security and simplicity-wise) solution than having a two factor authentication at the router level.
 
With a password-protected client key, you have zero changes to make to the server. You just need to generate client keys that are password-protected. That means before the OpenVPN client is able to use a key, it will ask the user for the password so the key can be decrypted, and used by the client. So, this adds an extra layer of security - by encrypting all client keys.

I never tested it myself so I can't give you the details on how the OpenVPN client prompts the password, but give it a try. It's a better (security and simplicity-wise) solution than having a two factor authentication at the router level.

Ok I have changed the setup for an encrypted certificates as you suggested and remove the user/password authorization scheme on the server i described above.

As RMerlin has suggested, it is a much better solution has neither the server, neither the client has to be changed, only a different password protected certificate is used.

If the password protected certificate is generated on windows, you may have to follow info in the following because the "build-key-pass" bat file does not exist in my windows openvpn setup:

Create build-key-pass file under window

This process will ask first a passphrase at the beginning of certificate generation that would be used as your password.

Then, just use this new protected certificate with your openvpn configuration and it will do the trick. Under windows, once you try to open the vpn channel, it will ask you with a popup box the password you use to protect the certificate above.

This is better than the previous solution has:

- you don't have a user name to type, just a password
- you don 't have to setup user/password in text files on the router that could be compromised.
-You could easily generate new certificates with different passwords from your CA system, without the server/client having any info on these passwords and what they are.


Thanks RMerlin again
 
2 factor authentification

To have this password protection (vpn key) is a good idea, but much better would be to have a two factor authentification which is secured by google authenticate or others.
Have a look at this:
https://www.duosecurity.com/vpn

As you can see openVPN is supported in an easy way.
I did not find the time to check out...

But would it be possible to integrate this 2FA in the standard openVPN configuration without using entware, etc.?

Would honestly appreciate any hint ;-)
 
To have this password protection (vpn key) is a good idea, but much better would be to have a two factor authentification which is secured by google authenticate or others.
Have a look at this:
https://www.duosecurity.com/vpn

As you can see openVPN is supported in an easy way.
I did not find the time to check out...

But would it be possible to integrate this 2FA in the standard openVPN configuration without using entware, etc.?

Would honestly appreciate any hint ;-)

This is a commercial product, so I highly doubt there's any source code available.
 
Hi, yes you're right, it's a commercial product, but...

  • 10 users are free (so no worry about this part, for our aims it's more than enough)

So if it can be installed on JFSS (best option) or USB...
$ tar zxf duosecurity-duo_openvpn-c25ef04.tar.gz
$ cd duosecurity-duo_openvpn-c25ef04
$ make && sudo make install
... and will start during boot-up we can use it very easily by adding "plugin /opt/duo/duo_openvpn.so IKEY SKEY HOST" to the OpenVPN-Server Custom configuration...

Hope it will be possible (and NO, I am not working for this company)...
 
Last edited:
Hi, yes you're right, it's a commercial product, but...

  • 10 users are free (so no worry about this part, for our aims it's more than enough)

So if it can be installed on JFSS (best option) or USB...

... and will start during boot-up we can use it very easily by adding "plugin /opt/duo/duo_openvpn.so IKEY SKEY HOST" to the OpenVPN-Server Custom configuration...

Hope it will be possible (and NO, I am not working for this company)...

The plugin requires either Perl or Python, neither of which are available in the firmware.
 
To have this password protection (vpn key) is a good idea, but much better would be to have a two factor authentification which is secured by google authenticate or others.

Is this really useful (adding a layer of security that worths it) or a little on the paranoid side?


I have setting up openvpn server using tls certificates, using a protected certificate with strong password and also adding extra hmac security (by using an additionnal static key which must be sent from remote client to local server). Am i blind not seeing that this could be a not so secured server setup?
 
Two-factor authentication is something I'd expect on a large, corporate network. If you need that kind of protection for your home network, then you should't be using a home gateway but a high-end firewall from Sonicwall and the likes.
 
O.k. I am Consultant and need to have access to a Backup-HDD which is accessible via VPN. (and I do not want to use public cloud storage or a big server).
But this means beside the generated key (which you have to store somewhere on your device) to type in the passphrase (if configured).
2FA means you can be sure to have a second, independent level of security if you loose your device (let it be a Tablet or a Notebook) or protection against keylogger.
Security dosn't mean it will happen, it means to think before it will happen.

I am a single consultant/advisor not working in a big company (but for some bluechips etc.). Automatically backing up my Notebook via air to the @home device I want to be 100% sure. As you know and have probably read: The login-digits for the Iphone and as well for Android are easily to bypass. So the system is completely open (mobile device from my point of view are nowadays the most unsecure devices). This means you have no security anymore.

I am not paranoid, I want to be prepared - hope this will explain it.
And BTW: that's the reason why I am aksing about the instability of the USB-connected HDD...
 
Last edited:
But this means beside the generated key (which you have to store somewhere on your device) to type in the passphrase (if configured). As you know and have probably read: The login-digits for the Iphone and as well for Android are easily to bypass. So the system is completely open (mobile device from my point of view are nowadays the most unsecure devices). This means you have no security anymore.

I'm using openvpn with my iphone. Yes a certificate is stored on the iphone. By using a good passphrase for your openvpn certificate not stored on the iphone, if you are loosing your device, the time needed for the user to find the passphrase of your certificate, you will easily have time to change the certificates and security stuff on your openvpn server.

It's not like having hundred of users to check with a corporate network. You would have a couple of vpn users for your home network, easily to deal with lost device and so on...
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top