Multiple users/passwords?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 32
- Joined: Fri Apr 30, 2021 1:42 am
Multiple users/passwords?
I'm starting to think it's probably important for each of my users to have separate usernames and passwords to log into the OpenVPN server. After all, if someone leaves my team, I don't want them having VPN access and don't want this being distributed since it seems like this file can work for everyone.
I see how to do the auth-verify but I am trying to figure out how to do this so that I can create a login for each user. It's not that scalable to create different ovpn files for each person. And if I just add auth-user-pass without a username and password, then the server doesn't let them log in.
How do I create usernames/passwords on the server side that I can freely delete to remove potential security risk? With PAM, does that mean they need an account on my system? But they could still freely distribute the .ovpn, no?
Sorry if it's a dumb question - I've reviewed the information but I can't figure it out.
I see how to do the auth-verify but I am trying to figure out how to do this so that I can create a login for each user. It's not that scalable to create different ovpn files for each person. And if I just add auth-user-pass without a username and password, then the server doesn't let them log in.
How do I create usernames/passwords on the server side that I can freely delete to remove potential security risk? With PAM, does that mean they need an account on my system? But they could still freely distribute the .ovpn, no?
Sorry if it's a dumb question - I've reviewed the information but I can't figure it out.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Multiple users/passwords?
Hi tamar,tamar wrote: ↑Fri Jul 29, 2022 1:30 amI'm starting to think it's probably important for each of my users to have separate usernames and passwords to log into the OpenVPN server. After all, if someone leaves my team, I don't want them having VPN access and don't want this being distributed since it seems like this file can work for everyone.
"[T]his file can work for everyone" means YDIW, going against the HOWTO and recommended defaults, such as --duplicate-cn. If you set that option, don't. Only issue distinct profiles (including certificates and keys if you are generating those) per user. No two users should have the same certificate and key. And any user wanting to connect on multiple devices should have a separate key and certificate per device.
"Not that scalable," why not? You have to. It can be scripted. Our commercial solutions do exactly that.tamar wrote: ↑Fri Jul 29, 2022 1:30 amI see how to do the auth-verify but I am trying to figure out how to do this so that I can create a login for each user. It's not that scalable to create different ovpn files for each person. And if I just add auth-user-pass without a username and password, then the server doesn't let them log in.
For --auth-user-pass there has to be an authentication backend. See "Using alternative authentication methods" for more details.
System user authentication is indeed an option. If users deliberately misbehave and redistribute their VPN profile, that's a Layer 8 (political) problem which should be dealt with with appropriate action.
Until you scale the certificate/key generation as necessary, you have a far less secure VPN than it could have been. With unique keys and certificates (and commonNames) per user, you have two other options for securing against cancelled users. The OpenSSL way is to generate a Certificate Revocation List (CRL), and check that using --crl-verify.
But openvpn also provides a simple means of server-side security: --ccd-exclusive. A client can only authenticate successfully if there is a file with their certificate's commonName in the --client-config-dir. It can be an empty file, or it can do other things specific to that client. But if YDIW as indicated from the start, these choices won't work for you.
Yes, there are others who have also insisted on Doing It Wrong. I don't want to help people do that.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVPN User
- Posts: 32
- Joined: Fri Apr 30, 2021 1:42 am
Re: Multiple users/passwords?
I'm pretty sure I replied to this, but I didn't see it anywhere.
So TIL that you can't use the same file for everyone. I guess I will delete the certificate files and start anew; doesn't seem like a bad idea.
Is there a step to step guide that's easy to understand that can explain the details of giving everyone their own credentials? I was trying to find that out last night as I asked this question but nothing out there seems particularly straightforward.
So TIL that you can't use the same file for everyone. I guess I will delete the certificate files and start anew; doesn't seem like a bad idea.
Is there a step to step guide that's easy to understand that can explain the details of giving everyone their own credentials? I was trying to find that out last night as I asked this question but nothing out there seems particularly straightforward.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVPN User
- Posts: 32
- Joined: Fri Apr 30, 2021 1:42 am
Re: Multiple users/passwords?
I'm not your average sysadmin, I guess. I'm a mom who likes to tinker with stuff and have been using OpenVPN to help some freelancing friends get stuff situated. The OpenVPN server is in my basement (and yes I built it). So yeah, that's why, perhaps. The only Linux I admin these days is OpenVPN every so often when I need to get stuff back up and running.
Thanks.
Thanks.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Multiple users/passwords?
Hi tamar,
For a very easy to admin VPN, I can recommend our commercial resources, OpenVPN Access Server and OpenVPN Cloud.
These are charged per concurrent connection. If you can keep it 2 or fewer at a time, there is no charge for Access Server. (For Cloud, 3, but one of those is a connector, which is usually necessary to make a VPN do useful things.) If you need more connections and can come up with the funding, Access Server can really make your life easier.
That said, we're not here for sales; we support our community project. Thanks to Tin for the information about Easy-RSA/TLS. If you like to tinker you'll find it to be easy and straightforward. (And people who like to tinker are the ones who make the best sysadmins!)
regards, rob0
For a very easy to admin VPN, I can recommend our commercial resources, OpenVPN Access Server and OpenVPN Cloud.
These are charged per concurrent connection. If you can keep it 2 or fewer at a time, there is no charge for Access Server. (For Cloud, 3, but one of those is a connector, which is usually necessary to make a VPN do useful things.) If you need more connections and can come up with the funding, Access Server can really make your life easier.
That said, we're not here for sales; we support our community project. Thanks to Tin for the information about Easy-RSA/TLS. If you like to tinker you'll find it to be easy and straightforward. (And people who like to tinker are the ones who make the best sysadmins!)
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVPN User
- Posts: 32
- Joined: Fri Apr 30, 2021 1:42 am
Re: Multiple users/passwords?
Great, thank you.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Multiple users/passwords?
Do what ? That is absolute nonsense.openvpn_inc wrote: ↑Fri Jul 29, 2022 9:23 pmpeople who like to tinker are the ones who make the best sysadmins