Login / Password authentication, using static key ?

[dsant]

Is it possible to use Login / Password user authentication, AND static pre-shared key ?

Code: Select all

#Server
ifconfig 192.168.0.1 192.168.0.2
secret "/openvpn/static.key"
dev tun
proto udp
float
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login


#Client
remote host.mydomain.com
ifconfig 192.168.0.2 192.168.0.1
secret "/openvpn/static.key"
dev tun
proto udp
float
--auth-user-pass "/openvpn/password.txt"

[maikcat]

hi there,

AFAIK yes...

better use certificates though..

ps:why you use float inside server config?


cheers,

michael.

[dsant]

!
could you tell me what's wrong in my configuration ?

(I had to use "float" because of the Router : Zyxel never again !)

[maikcat]

hi dsant,


Zyxel routers are ok...i have many openvpn setups behind different zyxels and all work fine.What problem do you have?


cheers,

michael

[dsant]

well Michael... your conf uses certificates (ca keys/ca.crt...) . I was saying I want to use only static pre-shared keys AND login/password authentication.


(the Zyxel did not ask for login, only password. So incomplete web configuration page. Now I know)

[maikcat]

i answered quickly and then i edited my post,
thats why you saw the configs...

anyway

your original config

ifconfig 192.168.0.1 192.168.0.2
secret "/openvpn/static.key"
dev tun
proto udp
float
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login

is fine (i would removed the float statement though) .

question:
>(the Zyxel did not ask for login, only password. So incomplete web configuration page. Now I know)
i believe you talk about the login proccess on the zyxel itself..right?
what this has to do with openvpn?

michael.

[janjust]

logins with static keys are NOT possible right now.
You can configure a server to use the pam plugin (pretty much like you did) but the client cannot be configured :

Code: Select all

# openvpn --proto udp --port 1194 --remote ... \
  --ifconfig 192.168.222.2 192.168.222.1 \
  --auth-user-pass --dev tun
Options error: --auth-user-pass requires --pull
Use --help for more information.

Next attempt:

Code: Select all

# openvpn --proto udp --port 1194 --remote ... \
  --ifconfig 192.168.222.2 192.168.222.1 \
  --auth-user-pass --dev tun --pull
Options error: Parameter --pull can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.

but 'tls-server' is incompatible with 'secret' so you're stuck.
The best you can achieve is:

- use a regular 'server' setup
- generate a CA cert and server cert
- don't use a client certificate and specify 'client-cert-not-required' on the server side.

HTH,

JJK