Sunday, January 3, 2010

OpenVPN with pam_mysql username/password authentication

Here's how I setup OpenVPN with pam_mysql using only username/password authentication (insecure, but really easy on the admin side :P).  Target platform is Ubuntu Jaunty.  For starters, you'll need the following installed:
  • openvpn
  • mysql - server installed and running
Get the latest version of pam_mysql from http://pam-mysql.sourceforge.net/.  Untar it into a working directory.  The latest version as of writing this article is 0.7RC1.  The pam_mysql package in Jaunty is broken.  You'll need to patch the Makefile.in with the following patch (thanks to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418500#50):
--- Makefile.in.chold   2008-07-14 10:25:53.000000000 +0200
+++ Makefile.in 2008-07-14 10:26:06.000000000 +0200
@@ -110,7 +110,7 @@
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
-pam_mysql_la_LIBADD =
+pam_mysql_la_LIBADD = -lpam
 pam_mysql_la_OBJECTS =  pam_mysql.lo
 CFLAGS = @CFLAGS@
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)

Save the above as patch.in in the same folder where you untar pam_mysql.  Then run the following command:
# patch -p0 <patch.in
That command will perform the patch process by using the patch.in file.  Next, we'll need to grab some deb packages to compile the module:
# apt-get install libmysql++-dev libpam0g-dev libgsasl7 libgsasl7-dev
Once that's done, proceed with the usual make commands (please note the extra configure options to enable SHA1 and MD5 options in the module):
# ./configure --with-cyrus-sasl2 --with-openssl
# make
# make install


The module should now be installed in /lib/security/pam_mysql.so.  Now to configure OpenVPN.  Here's my server configuration file:
port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/ca.crt
cert /etc/openvpn/
easy-rsa/server.crt
key /etc/openvpn/
easy-rsa/server.key
dh /etc/openvpn/
easy-rsa/dh1024.pem

server 10.128.127.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 2.2.2.2"

keepalive 10 120

comp-lzo

max-clients 50

persist-key
persist-tun

status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 20

client-cert-not-required
username-as-common-name

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

The most important lines are the last three lines which have been bold.  Follow the commands below to setup OpenVPN server:
cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
cd easy-rsa
vim vars # Edit KEY_* vars appropriately
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
To allow traffic to be routed from clients to the server, perform the following tasks:
echo 1 > /proc/sys/net/ipv4/ip_forward
edit /etc/sysctl.conf
Uncomment/add the line: net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 10.128.127.0/24 -o eth0 -j MASQUERADE
iptables-save
Now to configure PAM.  Create a file called openvpn in /etc/pam.d.  Below are its contents:
auth optional /lib/security/pam_mysql.so user=root passwd=pass host=localhost db=vpn_db table=tbl_user usercolumn=userid passwdcolumn=password where=active=1 sqllog=no crypt=4 verbose=0

account required /lib/security/pam_mysql.so user=root passwd=pass host=localhost db=vpn_db table=tbl_user usercolumn=userid passwdcolumn=password
where=active=1 sqllog=no crypt=4 verbose=0
crypt=4 instructs pam_mysql to use SHA1.  There are other options which you can view in the pam_mysql README file.  OpenVPN client configuration file is shown below:
client
dev tun
proto udp
remote my.vpn.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
cipher BF-CBC
comp-lzo
verb 4
mute 20

Very lean and clean client config file.

12 comments:

David said...

Whats the SQL dump file or how do I create the database / tables in mysql?

voiptrader said...

try this :

mysql -u root -p
CREATE DATABASE vpn_db;

USE vpn_db;
CREATE TABLE `tbl_user` (
`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
`userid` VARCHAR( 30 ) NOT NULL ,
`password` VARCHAR( 50 ) NOT NULL,
`active` TINYINT ( 1 ) NOT NULL,
UNIQUE (`userid`)
) ENGINE = MYISAM ;

Robink said...

So what would a entry in lets say phpmyadmin look like?

Void said...

thanks for the tutorial

AUTH-PAM: BACKGROUND: user 'd3ck4' failed to authenticate: Permission denied

hmm.. do u know whats the problem?

Guillaume RODRIGUEZ said...
This comment has been removed by the author.
Guillaume RODRIGUEZ said...

I have the same problem of @Void.
Have you got a solution ?

Thanks.

Florent CARRÉ said...

Thank you but I've the same problem :
AUTH-PAM: BACKGROUND: user 'xyz' failed to authenticate: Permission denied
The pastebin of the files : http://pastebin.com/qDS3nurN

Guillaume RODRIGUEZ said...

Bonjour @Florent CARRE,
j'écris en français parce que je me doute que vous le parlez aussi :)
Le problème de ce tuto est qu'il est plein d'erreurs et je n'ai obtenu aucun résultat.
Après 2 semaines de recherches, j'ai trouvé un nouveau tuto qui fonctionne à merveille.
Voici le lien :
http://chagridsada.blogspot.fr/2011/01/openvpn-system-based-on-userpass.html

Au départ je ne voulais pas de fichier shell mais bon au final ça fonctionne très bien et l'ajout de clients est très simple et rapide.

Bonne journée.

Florent CARRÉ said...

Bonsoir @Guillaume RODRIGUEZ,
Merci mais je l'ai déjà testé et il ne veut pas fonctionner (même erreur, sûrement dû au sha1 pour le mot de passe) donc je pense mettre en place la grosse installation avec le freeradius comme on l'a sur http://www.roessner-network-solutions.com/popular-articles-and-pages/openvpn-radius-mysqlldap-howto/
Encore merci et bonne soirée.

Guillaume RODRIGUEZ said...

Bonsoir @Florent CARRE,
j'avais déjà vu ce type configuration et le problème est qu'il repose sur une identification LDAP que je ne connais pas en détail, donc je le trouvais un peu compliqué.
Utilisez-vous la fonction ENCRYPT de MySQL/PHPMyADMIN, la fonction PASSWORD ( ou MD5 ou SHA-1) car dans le tutoriel que je vous est donné la fonction utilisée est la fonction ENCRYPT.
Si vous voulez, je peux vous donner mes fichiers de configurations server et client avec un accès temporaire de mois à mon VPS pour tester et l'adapter à votre serveur, par e-mail ou sur un pastebin.

Bonne soirée.

Ahmad Hamad said...

same problem as VOID

any salvation ?

jonathan cohen said...

Bonjour,

nous montons une infrastructure de vpn sur VPN Discount, pouvez vous nous aider?

Merci me contacter par mail : webmaster AT vpndiscount DOT net