Solved

OpenVPN authentication using " user and password" or certificate

Posted on 2015-02-08
15
274 Views
Last Modified: 2015-03-06
I need to authenticate some users in OpenVPN server using " user and password " + certificate authentication, and other some other user can be authenticated using certificates only. Which they can't enter users and passwords.
What the solution for that ? with keeping authentication using passwords available for some users.
How can i add user and password inside openvpn client configuration file. ? not in external file.
0
Comment
Question by:LizaMoly
  • 7
  • 5
15 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
you will probably need 2 vpn locations. One for each configuration.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
One way is to use different OpenVPN servers, e.g. with different port.
You can do with an authentication script running on the server side, checking the certificate and deciding whether to use auth-user-pass, but that is more complex (never done myself).
0
 

Author Comment

by:LizaMoly
Comment Utility
How can I connect two OpenVPN servers with each other ?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Why you would like or need to do that?
0
 

Author Comment

by:LizaMoly
Comment Utility
I have some clients cannot enter user and password "IP phones ", which support openvpn but not support external files containing username and password. It just only accept certificate authentication. So what the solution to keep handling some users must be authenticated with user and password.
Is there any way to include username and password inside the configuration file ?
I'm thinking now to specify one server for authentication using certificates only, and the other server can authenticate using username and password + certificates.
This is my situation, Any help ??
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Reread http:#a40597092, that describes both options. You do not need to "connect two OpenVPN servers with each other", they are independant.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:LizaMoly
Comment Utility
Please Qlemo, correct the link, it's refer to this question.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Exactly - this is intentional, hence the reread.
Probably two servers (OpenVPN processes) on the same machine, but using different ports, is the best option for you.
0
 

Author Comment

by:LizaMoly
Comment Utility
How can i do that ? How to run two OpenVPN processes?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Like this:
pushd c:\Program Files\OpenVPN
path %PATH%;C:\Program Files\OpenVPN\bin;
start /min "OVPN Cert only" openvpn -config config\server-certonly.ovpn
start /min "OVPN auth" openvpn -config config\server-userpass.ovpn
popd

Open in new window

Each OVPN file contains the appropiate configuration commands.
You might even use two different folders for OpenVPN, to keep everything separated from each other, including CA certs. Keeping the certs different prevents from users deciding they do not need to authenticate, if they gain knowledge how to do that.
0
 

Author Comment

by:LizaMoly
Comment Utility
Thank you Qlemo for your help, but i use Linux, CentOS 6.5. I need the solution for linux not windows.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
Of course, sorry. But that doesn't change much. Just make sure you use the paths as needed, and start OpenVPN as background job via &. For example
/path/to/openvpn -config /path/to/config/server-cert.ovpn &
/path/to/openvpn -config /path/to/config/server-userpass.ovpn &

Open in new window

Don't know the location of binaries and data in Linux, but that should give you a start.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Why a "B" grade?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now