OpenVPN with Username/Password authentication Ubuntu

Installing OpenVPN Server on Ubuntu server with Username and Password Authentication using Auth PAM plugin and disable SSH login for VPN server.

Hi,

In this tutorial, I will document the process of how to install OpenVPN on a Ubuntu 18.04 server and have it authenticate clients using username and password.

Update OS

sudo apt-get update
sudo apt-get upgrade

Install OpenVPN and setup directories

sudo apt-get install -y openvpn openssl
sudo mkdir -p /etc/openvpn/server
sudo mkdir -p /var/log/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-keys/openssl.cnf /etc/openvpn/server/

Generate keys and certificates

Create a bash file (from Medium Article)

# Place this in /etc/openvpn/server/generate-key.sh

#!/bin/bash
# Copyright © 2014 Steffan Karger <[email protected]>

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 
   exit 1
fi

set -eu

command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }

if [ ! -f openssl.cnf ]
then
	echo "Please run this script from the sample directory"
	exit 1
fi

# Generate static key for tls-auth (or static key mode)
openvpn --genkey --secret ta.key

# Create required directories and files
mkdir -p sample-ca
rm -f sample-ca/index.txt
touch sample-ca/index.txt
touch sample-ca/index.txt.attr
echo "01" > sample-ca/serial


# Generate CA key and cert
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
	-extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
	-subj "/C=VN/ST=SAIGON/L=SAIGON/O=OpenVPN-TEST/[email protected]" \
	-config openssl.cnf

# Create server key and cert
openssl req -new -nodes -config openssl.cnf -extensions server \
	-keyout sample-ca/server.key -out sample-ca/server.csr \
	-subj "/C=VN/ST=SAIGON/O=OpenVPN-TEST/CN=VPN-Server/[email protected]"

openssl ca -batch -config openssl.cnf -extensions server \
	-out sample-ca/server.crt -in sample-ca/server.csr

# Generate DH parameters
openssl dhparam -out dh2048.pem 2048

cp /etc/openvpn/server/dh2048.pem /etc/openvpn/
cp /etc/openvpn/server/sample-ca/server.crt /etc/openvpn/server/sample-ca/server.key /etc/openvpn/server/sample-ca/ca.crt /etc/openvpn/
cd /etc/openvpn/server/

sudo chmod +x generate-key.sh
sudo ./generate-key.sh

Create OpenVPN server configuration file

# Place this in /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
client-cert-not-required
username-as-common-name
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3

You may have to change the plugin path (/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so) based on your OS and OpenVPN version. These are some paths where I have found it (I will may update this list in future):

/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib/openvpn/openvpn-plugin-auth-pam.so

Start OpenVPN service, configure it to autostart on boot and check its status

sudo systemctl start [email protected]
sudo systemctl enable [email protected]
sudo systemctl status [email protected]

Enable IP forwarding and setup IPtables rules

sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo sysctl -p
# You will may have to change eth0 to the interface name that you have
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -o eth0 -j MASQUERADE

Make IPtables rules persistent (after reboots)

sudo apt-get install -y iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4

HUH! Server config all done, lets add new user and disable its SSH login. You may repeat this process for adding new users afterwards.

sudo adduser saad
sudo passwd saad
sudo echo "DenyUsers saad" >> /etc/ssh/sshd_config
sudo systemctl reload sshd.service

Copy the content from /etc/openvpn/ca.crt, you will need it for client configuration file.

Client configuration file

client
nobind
dev tun
redirect-gateway def1
remote -- vpn server public ip here -- 1194 udp
comp-lzo yes
auth-user-pass
auth-nocache
remote-cert-tls server
<ca>
-- ca.crt content here --
</ca>

And this is done, you should be able to connect to the OpenVPN server using the user (saad in this tutorial) and password.

Feel free to comment below if you are facing any issues, I would love to help you out. If you want me to set up everything for you then feel free to contact me on Fiverr: https://www.fiverr.com/saad_3112/install-openvpn-on-your-server-and-help-you-to-use-it

Leave a Comment

Your email address will not be published. Required fields are marked *