Multiple users/passwords?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tamar
OpenVPN User
Posts: 32
Joined: Fri Apr 30, 2021 1:42 am

Multiple users/passwords?

Post by tamar » Fri Jul 29, 2022 1:30 am

I'm starting to think it's probably important for each of my users to have separate usernames and passwords to log into the OpenVPN server. After all, if someone leaves my team, I don't want them having VPN access and don't want this being distributed since it seems like this file can work for everyone.

I see how to do the auth-verify but I am trying to figure out how to do this so that I can create a login for each user. It's not that scalable to create different ovpn files for each person. And if I just add auth-user-pass without a username and password, then the server doesn't let them log in.

How do I create usernames/passwords on the server side that I can freely delete to remove potential security risk? With PAM, does that mean they need an account on my system? But they could still freely distribute the .ovpn, no?

Sorry if it's a dumb question - I've reviewed the information but I can't figure it out.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Multiple users/passwords?

Post by openvpn_inc » Fri Jul 29, 2022 2:04 pm

tamar wrote:
Fri Jul 29, 2022 1:30 am
I'm starting to think it's probably important for each of my users to have separate usernames and passwords to log into the OpenVPN server. After all, if someone leaves my team, I don't want them having VPN access and don't want this being distributed since it seems like this file can work for everyone.
Hi tamar,

"[T]his file can work for everyone" means YDIW, going against the HOWTO and recommended defaults, such as --duplicate-cn. If you set that option, don't. Only issue distinct profiles (including certificates and keys if you are generating those) per user. No two users should have the same certificate and key. And any user wanting to connect on multiple devices should have a separate key and certificate per device.
tamar wrote:
Fri Jul 29, 2022 1:30 am
I see how to do the auth-verify but I am trying to figure out how to do this so that I can create a login for each user. It's not that scalable to create different ovpn files for each person. And if I just add auth-user-pass without a username and password, then the server doesn't let them log in.
"Not that scalable," why not? You have to. It can be scripted. Our commercial solutions do exactly that.

For --auth-user-pass there has to be an authentication backend. See "Using alternative authentication methods" for more details.
tamar wrote:
Fri Jul 29, 2022 1:30 am
How do I create usernames/passwords on the server side that I can freely delete to remove potential security risk? With PAM, does that mean they need an account on my system? But they could still freely distribute the .ovpn, no?
System user authentication is indeed an option. If users deliberately misbehave and redistribute their VPN profile, that's a Layer 8 (political) problem which should be dealt with with appropriate action.

Until you scale the certificate/key generation as necessary, you have a far less secure VPN than it could have been. With unique keys and certificates (and commonNames) per user, you have two other options for securing against cancelled users. The OpenSSL way is to generate a Certificate Revocation List (CRL), and check that using --crl-verify.

But openvpn also provides a simple means of server-side security: --ccd-exclusive. A client can only authenticate successfully if there is a file with their certificate's commonName in the --client-config-dir. It can be an empty file, or it can do other things specific to that client. But if YDIW as indicated from the start, these choices won't work for you.

Yes, there are others who have also insisted on Doing It Wrong. I don't want to help people do that.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

tamar
OpenVPN User
Posts: 32
Joined: Fri Apr 30, 2021 1:42 am

Re: Multiple users/passwords?

Post by tamar » Fri Jul 29, 2022 6:49 pm

I'm pretty sure I replied to this, but I didn't see it anywhere.

So TIL that you can't use the same file for everyone. 🤦🏻‍♀️ I guess I will delete the certificate files and start anew; doesn't seem like a bad idea.

Is there a step to step guide that's easy to understand that can explain the details of giving everyone their own credentials? I was trying to find that out last night as I asked this question but nothing out there seems particularly straightforward.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multiple users/passwords?

Post by TinCanTech » Fri Jul 29, 2022 7:02 pm

Use Easy-RSA to build your PKI, it is really quite simple.
  • Manually edit 'vars' file to your preferred settings
  • ./easyrsa init-pki
  • ./easyrsa build-ca
  • ./easyrsa build-server-full name
  • etc ..
Use Easy-TLS to build TLS keys.
  • ./easytls init
  • ./easytls build
How hard can that be .. ?

tamar
OpenVPN User
Posts: 32
Joined: Fri Apr 30, 2021 1:42 am

Re: Multiple users/passwords?

Post by tamar » Fri Jul 29, 2022 8:25 pm

I'm not your average sysadmin, I guess. I'm a mom who likes to tinker with stuff and have been using OpenVPN to help some freelancing friends get stuff situated. The OpenVPN server is in my basement (and yes I built it). So yeah, that's why, perhaps. The only Linux I admin these days is OpenVPN every so often when I need to get stuff back up and running. 🙃

Thanks.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Multiple users/passwords?

Post by openvpn_inc » Fri Jul 29, 2022 9:23 pm

Hi tamar,

For a very easy to admin VPN, I can recommend our commercial resources, OpenVPN Access Server and OpenVPN Cloud.

These are charged per concurrent connection. If you can keep it 2 or fewer at a time, there is no charge for Access Server. (For Cloud, 3, but one of those is a connector, which is usually necessary to make a VPN do useful things.) If you need more connections and can come up with the funding, Access Server can really make your life easier.

That said, we're not here for sales; we support our community project. Thanks to Tin for the information about Easy-RSA/TLS. If you like to tinker you'll find it to be easy and straightforward. (And people who like to tinker are the ones who make the best sysadmins!)

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

tamar
OpenVPN User
Posts: 32
Joined: Fri Apr 30, 2021 1:42 am

Re: Multiple users/passwords?

Post by tamar » Fri Jul 29, 2022 9:25 pm

Great, thank you.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Multiple users/passwords?

Post by TinCanTech » Fri Jul 29, 2022 10:54 pm

openvpn_inc wrote:
Fri Jul 29, 2022 9:23 pm
people who like to tinker are the ones who make the best sysadmins
Do what ? That is absolute nonsense.

Post Reply