Create password for OpenVpn

I have OpenVpn running on my new install of 18.06.2 and it works great ( thanks to those who wrote the guide ) and I'd like to add a username/password, but I'm not sure how, I think I need to add -

auth-user-pass "/etc/openvpn/vpnserver.conf"

to /etc/openvpn/vpnclient.ovpn and then add the username/password in /etc/openvpn/vpnserver.conf but that's where I'm stuck, I'm not sure what lines I need in vpnserver.conf.

Should it be something like -

auth-password "my_password"

auth-username "my_username"

Or just -

my_username

my_password

Or should username/password be created during installation rather than afterwards, if so I'm assuming during this step, but not sure what needs to be done.

Create a separate file that has the user name as the first line and the password as the second line. That should be the only contents of the file. Then put the full path to that file after auth-user-pass in the main config.

2 Likes

Thanks, that got it.

1 Like

auth-user-pass is a client side option, which is required when server side has auth-user-pass-verify.

1 Like

Hmm, the .ovpn file imported fine so I assumed there were no errors, but it's not connecting, here's what I added -

A file named userpass in /etc/openvpn with username first, password second (nothing else) and in vpnserver.conf I added -

auth-user-pass /etc/openvpn/userpass

I also tried removing auth-user-pass from /etc/openvpn/vpnserver.conf and adding auth-user-pass to the .ovpn file, but it just produces errors saying it can't be read when importing (permissions seem fine 0400).

edit - it connects fine when auth-user-pass is removed so I assume I'm doing something wrong when adding it, just not sure what, do I need to reinstall openvpn and in these two lines -

# Generate a keypair and sign locally for vpnserver
easyrsa --batch build-server-full vpnserver nopass
 
# Generate a keypair and sign locally for vpnclient
easyrsa --batch build-client-full vpnclient nopass

change nopass to auth-user-pass-verify and auth-user-pass respectively?

I'm not clear what your usage scenario is. Are you also running the OpenVPN server, or do you just need to set up a client to connect to a third party service?

OpenVPN will parse any and every file ending in .conf in the /etc/openvpn directory, which is usually not what you would want. There should be only one configuration file being loaded, especially if you have downloaded a suggested configuration from a commercial VPN service provider. Thus the convention to name the configuration file .ovpn, and not have any .conf files at all. Then point to the .ovpn file you want to use in /etc/config/openvpn.

1 Like

Implementing username/password authentication on the server side requires external plugin or script, which you have to compile, write yourself or find somewhere and adapt for OpenWrt.
Actually, nobody uses it on their own server, because it's security level is negligible compared to certificate-based authentication.

And private key password protection is entirely different from username/password authentication.
But most likely you don't need it too, because utilizing it leads to additional potential issues.

1 Like

@mk24 Just running as a server to connect to when away from home, no commercial vpn.

@vgaetera Ahh thanks, in 18.06.1 I used the previous basic guide which was just copy/paste script, always meant to use the advanced guide so I could have a better understanding but obviously never got around to it, sorry for the confusion.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.