24 August 2014

OpenVPN with OTP one time password by google authenticator working all the time part 2

<< Back to part 1 <<

3. Create user (Alice) certificate for authentication :

Generate Alice private key

# openssl genrsa -out alice.key 2048

Generate Alice certificate request

Notice : the common name (CN) should match the username = alice

# openssl req -out alice.req -key alice.key -new -days 365

Sign Alice request by using rootCA

# openssl x509 -in alice.req -out alice.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial

To make the config file for Alice, copy the content of the rootCA.cert, alice.key, alice.cert and place them in one file alice.ovpn like this :

# vim alice.ovpn :

client
dev tun
proto tcp

# Connect to server
remote vpn.tipstuff.org 443

# rootCA.cert
<ca>
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIJAOhAI1gmMWVxMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNV
BAYTAlZOMQswCQYDVQQIDAJTRzELMAkGA1UEBwwCU0cxFTATBgNVBAoMDHRpcH
...............
...............
FULLqBe+kY+XaZrlPVn787aEwN0tF1DtXwG8pQ3cR7eohOAZWrZDHXEFTKYYJkvu
RKgJvl0Hw3zsCX9faPK/Z90chg==
-----END CERTIFICATE-----
</ca>

# alice.cert
<cert>
-----BEGIN CERTIFICATE-----
MIIDRzCCAi8CCQDU+B80lYb0/zANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJW
............
............
8vvzrS9AltShgZYNt1ODHvNYMFHzyQHMNmVG
-----END CERTIFICATE-----
</cert>

# alice.key
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsf4LwkRjoStpRjAj9gXL46r5K3s26+Kf3k+iLS/5OoieLJlT
W9Mj5OAUjxm+fgUeQw79n+BRsB2OIsARE7NmHyryw8XhU/pPwhFp/1oGCOQmUwA0
............
............
gDLtXax8Vj+UwIPDOIlLHckqgHsDASpbM0hckxJtvZzKBRFww3DJOA==
-----END RSA PRIVATE KEY-----
</key>

Now copy or email the config file to Alice, guide her to download the appropriate OpenVPN client. For example for Winxp 32bit : http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I003-i686.exe

After installation, place the config file at : C:\Program Files\OpenVPN\config\


On the desktop, right click on the icon OpenVPN GUI, choose Run As Administrator ( to have permission right to modify the routing table ). The OpenVPN GUI then stay at bottom right of the taskbar, right clicked and choose Connect.


The client receives the IP and DNS address provided by the OpenVPN server.


Push static route to the client :


and Alice has connected to the VPN network.

The login process use ssl certificate to authenticate Users (cn=alice), no password is required and the vpn server only accept certificates which are signed by the rootCA.

>> Next - Intergrate with google authenticator PAM module >>