Chapter 6
There's more...
Plugins are supported on Linux, Net/FreeBSD, and on Windows. The following script callbacks can be intercepted using a plugin:
up
down
route-up
ipchange
tls-verify
auth-user-pass-verify
client-connect
client-disconnect
learn-address
See also
The next recipe, Using the PAM authentication plugin, which explains how to use an OpenVPN plugin to authenticate remote VPN clients.
Using the PAM authentication plugin
A very useful plugin for OpenVPN is a plugin to validate a username using the Linux/UNIX PAM authentication system. PAM stands for Pluggable Authentication Modules and is a very modular system for allowing users access to system resources. It is used by most modern
Linux and UNIX variants, offering a very flexible and extendible system for authenticating and authorizing users. In this recipe, we will use the PAM authentication plugin as a replacement of an auth-user-pass-verify script to validate a remote user's credentials against the system PAM configuration.
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows 2000 and OpenVPN 2.1.1.
183
Scripting and Plugins
How to do it...
1.Create the server configuration file:
proto udp port 1194 dev tun
server 192.168.200.0 255.255.255.0
ca |
/etc/openvpn/cookbook/ca.crt |
cert |
/etc/openvpn/cookbook/server.crt |
key |
/etc/openvpn/cookbook/server.key |
dh |
/etc/openvpn/cookbook/dh1024.pem |
tls-auth /etc/openvpn/cookbook/ta.key 0
persist-key persist-tun keepalive 10 60
topology subnet
user nobody
group nobody # nogroup on some distros
daemon
log-append /var/log/openvpn.log
verb 5 suppress-timestamps
plugin /etc/openvpn/cookbook/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
Note that the last line of the server configuration file is a single line. Save it as example6-10-server.conf.
2.Start the OpenVPN server:
[root@server]# openvpn --config example6-10-server.conf
The server log file will now show:
AUTH-PAM: BACKGROUND: INIT service='login'
PLUGIN_INIT: POST /etc/openvpn/cookbook/openvpn-auth-pam.so '[/etc/openvpn/cookbook/openvpn-auth-pam.so] [login] [login] [USERNAME] [password] [PASSWORD]' intercepted=PLUGIN_AUTH_USER_ PASS_VERIFY
This indicates that the PAM plugin successfully initialized in the background.
184
Chapter 6
3.Next, create the client configuration file:
client proto udp
remote openvpnserver.example.com port 1194
dev tun nobind
ca |
"c:/program files/openvpn/config/ca.crt" |
cert |
"c:/program files/openvpn/config/client1.crt" |
key |
"c:/program files/openvpn/config/client1.key" |
tls-auth "c:/program files/openvpn/config/ta.key" 1
auth-user-pass
Save it as example6-10.ovpn.
4.Start the OpenVPN client. The OpenVPN GUI on Windows will first prompt for the Auth username and password:
On the server used in this recipe, a special user cookbook was created. After typing in the username and password, the connection to the server is successfully established. The OpenVPN server log shows:
AUTH-PAM: BACKGROUND: received command code: 0 AUTH-PAM: BACKGROUND: USER: cookbook
AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
185
Scripting and Plugins
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
…openvpnclient:50887 PLUGIN_CALL: POST /etc/openvpn/cookbook/openvpn- auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
…openvpnclient:50887 TLS: Username/Password authentication succeeded for username 'cookbook'
This shows that the user was successfully authenticated using PAM.
How it works...
The PAM authentication plugin intercepts the auth-user-pass-verify callback. When the OpenVPN client connects and passes along the username and password, the plugin wakes up. It queries the PAM subsystem by looking at the "login" module (this is the first parameter for the openvpn-auth-pam.so file). The other parameters are used by the auth-pam plugin to know which input to expect from the PAM subsystem:
login USERNAME password PASSWORD
The PAM "login" subsystem will ask for the username by presenting the prompt "login" and will ask for the password by presenting the prompt "password". The auth-pam plugin uses this information to know where to fill in the username (USERNAME) and password (PASSWORD).
After the user has been successfully authenticated by the PAM subsystem, the connection is established.
There's more...
It would also have been possible to authenticate a user using an 'auth-user-pass-verify' script, which queries the PAM subsystem. There are two major advantages to using the PAM plugin for this:
It is not required to use the 'script-security' directive at all.
The plugin method is much faster and far more scalable. When many users try to connect to the OpenVPN server at the same time, the VPN performance would be greatly affected when using an auth-user-pass-verify script, as for each connecting a user, a separate process needs to be started, during which the OpenVPN's main thread is installed.
See also
The previous recipe, Using the 'down-root' plugin, in which the basics of using OpenVPN plugins are explained.
186