I’m going to show you here how to set up a OpenVPN server and client to use PAM password authentication (without client certificates). I’ve seen a number of posts on the web for how to do this but I’ve disliked most of them (some for their non-standard unix setup and others because they were needlessly complicated as tutorials.

Why Would You Want To Do This?

It’s true that certificate authentication has its merits and many would argue that its the better options (OpenVPN certainly do):

  • Certificates are cryptographically stronger and typically more random than humans are capable of
  • Certificates do not suffer from users reusing passwords
  • Certificates do not rely on the user’s (frequently faulty) memory

But there are a number of advantages to passwords:

  • Passwords are not easily left on a train when the user forgets their laptop or phone
  • Passwords are much cheaper to administer especially when there’s the option of single sign on
  • Passwords are very easy to revoke (CRLs have never been a great solution IMHO)
  • User/Passwords allow for proper user management where certificates (alone) do not (at least not the OpenVPN uses certificates)

Here’s How

If you already have an OpenVPN server setup here’s the few simple changes you need:

  1. Serverside – Set up PAM configuration for OpenVPN.
    On the command line copy /etc/pam.d/other to /etc/pam.d/openvpn:

    cp /etc/pam.d/other
  2. Serverside – Switch from client cert to User / Password
    Add the configuration lines to your OpenVPN server configuration file:

    # Enable user / password with PAM
    plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
    # Disable client certificates
    client-cert-not-required

    It is important that the third argument (oepnvpn) matches the name we gave the configuration file in step 1.

  3. Clientside – Switch from client cert to User / Password in the client config
    Add the following to the client configuration

    auth-user-pass

    If your client configuration is already set up for client certificates then you should remove any references such as:

    cert client.crt
    key client.key