OpenVPN via password authentication

OpenVPN via password authentification

Overview

The purpose of this tutorial is to describe how to configure an OpenVPN connection to a commercial VPN service. The explicit example I will use in this tutorial is connecting to ibVPN, but I am sure the steps described can be applied to many other providers and most places of employment.

Prerequisits

I will assume throughout this tutoral you have a USB stick mounted as /opt with optware installed. If you do not have optware or a USB stick, you can probably use your /jmms directory instead of /opt. You are free to choice your own subnet, but for purposes of this example I will use a 172.31.0.0/16 as the address space configured for your LAN, with your router as 172.31.253.1. Where-ever you see these numbers, substitute the values you have used for your configuration.

Installing files and finding information

Your VPN provider probably provides a set of configuration files that includes there certificate, and configuration. Download these and copy them into your /opt/etc/openvpn directory. You will need to identify the following from this package.

  1. The CA file. For ibVPN this will be ibvpn.com.crt. If the certificate file is not obvious you can recognize by the line "-BEGIN CERTIFICATE-".
  2. The file or files with the configuration setting. In particular you are looking for a file with a remote line that tells you the server address and port number. For ibVPN there is one file per server. The remote line is the first line in the files. For example, the line "remote 173.234.43.202 1194 udp" would tell you the server is 172.234.43.202, the port is 1194, and the protocol is UDP.

Created a routing script

Create the followings script as /opt/etc/openvpn/route.sh being sure to substitute 172.31.0.0 with whatever you are using for your LAN's subnet:

#!/bin/sh
[ "$1" = "up" -o "$1" = "down" ] || (echo "No action specified." && exit 1 )
action="$1"
shift
[ -z "$1" ] && echo "Failed to specify table." && exit 1
table="$1"
shift
[ -z "$1" ] && echo "Failed to specify subnet." && exit 1
ip route flush table $table
for i in '^127\.' '^172\.31\.' '^192\.168\.'     
do                                                                   
    ip route add $(ip route list|grep "$i") table $table 2>>/dev/null
done
[ "$action" = "down" ] && ip route add default via $route_net_gateway table $table
[ "$action" = "up" ] && ip route add default via $route_vpn_gateway dev $dev table $table
for subnet in $*
do
  ip rule del from $subnet table $table 2>>/dev/null
  [ "$action" != "up" ] || ip rule add from $subnet table $table
done

Once you create the script execute the following command:

chmod ugo+rX /opt/etc/openvpn/route.sh

Creating an authorization file.

Next you need to create a file that stores your username and password:

echo "<USERNAME>" > /opt/etc/openvpn/auth1.txt
echo "<PASSWORD>" >> /opt/etc/openvpn/auth1.txt
chmod 600 /opt/etc/openvpn/auth1.txt

Note: That <USERNAME> should be your actual username. For ibVPN <USERNAME> is your e-mail address. <PASSWORD> should be your actual password. I suggest using auth1.txt for client 1 and auth2.txt for client 2.

Configuring UI settings

You can find the setting information from your configuration files. The following are settings that work for me with ibVPN:

For Client 1 -> Basic I configured the following:

Start with Wan: not checked
Interface Type: TAP
Protocol: UDP
Server Address/Port: 172.234.43.202 1194
Firewall: Automatic
Authorization Mode: TLS
Extra HMAC authorization (tls-auth): Disabled
Service is on the same subnet: not checked
Create NAT on tunnel: checked

Note: 172.234.43.202 shold be replace with the server you are going to connect to, and 1194 with the respective port. Protocol will either be UDP or TCP.

For Client 1 -> Advanced I configured the following:

Redirect Internet traffic: unchecked
Accept DNS configuration: Disabled
Encryption cipher: Use Default
Compression: Adaptive
TLS Renegotiation Time: -1
Connection retry: 30
Costom Configration (follows):

script-security 3 system
ca /opt/etc/openvpn/ibvpn.com.crt
verb 3
mute 20
ns-cert-type server
fragment 1300
route-noexec
route-delay 2
redirect-private
auth-user-pass /opt/etc/openvpn/auth1.txt
auth-nocache
reneg-sec 0
route-up "/opt/etc/openvpn/route.sh up 1 172.31.254.0/24"
down "/opt/etc/openvpn/route.sh down 1 172.31.254.0/24"

It is very likely you will need to modify the custom settings based on the information in your VPN's provider's configuration. You'll probably also want to change the address 172.31.254.0/24 to something else. The address 172.31.254.0/24 is actually the subnet I want to redirect with VPN, you can replace this with any subnet you want or even a listing of multiple values. e.g. The following would redirect 172.31.253.119 172.31.253.123 and the subnet 172.31.3.0/24:

route-up "/opt/etc/openvpn/route.sh up 1 172.31.253.119 172.31.253.123 172.31.3.0/24"
down "/opt/etc/openvpn/route.sh down 1  172.31.253.119 172.31.253.123 172.31.3.0/24"

The number 1 right after the word "up" and "down" is a table number. For simplicity I just make this the same as the client number. So for client #2 I use:

route-up "/opt/etc/openvpn/route.sh up 2 172.31.255.0/24"
down "/opt/etc/openvpn/route.sh down 2 172.31.255.0/24"

Debugging

If you are lucky everything will work the first time you press start. If not, you'll probably need to look at the system log for errors. e.g. Status->Log. This is where you will see error messages such as password authentification failures. Do not check the "Startup on WAN" button until you have verified the connection works when starting manually. If your VPN provider uses a secure token, you need to login and update the the /opt/etc/openvpn/auth manually immediately before clicking start, so you can provide the current token value as part of the password.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License