OpenVPN Server - user authentication

[mojo_333]

Is there anyway to get user authentication working via OpenVPN Server (using Asuswrt-Merlin 3.0.0.4.270.25b)?

I have OpenVPN running on my QNAP NAS however I'd like to move to away from it as it's using an old codebase with multiple known exploits and QNAP doesn't seem to be in a rush to fix anything.

The big blocker is user authentication as don't want anyone with access to the config files just to be able to login at will. I'd like to be able to define a list of users with static passwords who have access. Something similar to: http://askubuntu.com/questions/193611/connect-to-openvpn-using-username-and-password however I don't know how to make this work.

 

[mojo_333]

After some more searching I've found an article describing what I needed to do: http://todayguesswhat.blogspot.co.uk/2011/03/quick-simple-vpn-setup-guide-using.html. Username / password prompt and validation now working exactly as expected.

Only one small issue... the files generated are being saved to nvram via "nvram setfile2nvram xxx" however none of them survive a router reboot even after issuing the command "nvram commit".

Any thoughts?

---
Update: Used JFFS however I'd still would like to know why the files saved to nvram wouldn't survive a reboot.

 

[RMerlin]

After some more searching I've found an article describing what I needed to do: http://todayguesswhat.blogspot.co.uk/2011/03/quick-simple-vpn-setup-guide-using.html. Username / password prompt and validation now working exactly as expected.

Only one small issue... the files generated are being saved to nvram via "nvram setfile2nvram xxx" however none of them survive a router reboot even after issuing the command "nvram commit".

Any thoughts?

---
Update: Used JFFS however I'd still would like to know why the files saved to nvram wouldn't survive a reboot.

Because there is no setfile2nvram option in the nvram command of Asuswrt:

admin@RT-AC66U:/tmp/home/root# nvram
usage: nvram [get name] [set name=value] [unset name] [show] [save file] [restore file]

BTW, I don't see what you mean about people with access to the config files being able to login. OpenVPN authentication is based on being able to sign a certificate. If someone doesn't have the signing certificate (which should not be stored on your router in the first place), they can't get access to the OpenVPN server at all. This is even more secure than a password, as brute-forcing a 1024 bytes key is way more secure than a short password string.

 

[mojo_333]

Because there is no setfile2nvram option in the nvram command of Asuswrt

Heh... that'd be the problem. I was semi-blindly following the actions in the blog I found given I'm a complete noob at this

BTW, I don't see what you mean about people with access to the config files being able to login.

I was trying to mitigate the case whereby I've placed the config files required by the OpenVPN client (ca.crt, client1.key, client1.crt, homevpn.ovpn in my case) on to a laptop (or other device) which is stolen. My understanding is that once the perp gets access to the laptop/device they'll be able to fire up OpenVPN and access my network unless I have a 2nd factor auth (simple username / password but it'll do).

 

[RMerlin]

Heh... that'd be the problem. I was semi-blindly following the actions in the blog I found given I'm a complete noob at this



I was trying to mitigate the case whereby I've placed the config files required by the OpenVPN client (ca.crt, client1.key, client1.crt, homevpn.ovpn in my case) on to a laptop (or other device) which is stolen. My understanding is that once the perp gets access to the laptop/device they'll be able to fire up OpenVPN and access my network unless I have a 2nd factor auth (simple username / password but it'll do).

You can revoke an emitted certificate, which would let you disable any lost certificate, same way as you would change a compromised password.

You might also be able to password-protect the certificate on the client machine, tho I never tried it myself.

 

[wiz]

that's true, when generating a key for the user you can specify to password protect it so the user has to fill in the password prior to be able to connect to the openvpn server.

On linux theres a separate script called build-key-pass, in windows you have to change the batchfile build-key.