Archive for June, 2011

Open VPN with PAM

June 23, 2011

Your Private tunnel to the Internet.

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.


apt-get install openvpn
apt-get install libpam0g-dev ( for PAM support )


You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.  I chose tun for my case.

Authentication methods

  1. Certificates/keys
  2. Smart cards,
  3. Username/password credentials

Preparing to generate the keys

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/

Generate the certificate authority (CA) which will be used to sign the server and client certificates.

.  ./vars

Next, we need to create the server keys

./build-key-server server

Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and


As I decide to use PAM based authentication I just avoid creating the cert keys for client authentication here.

Here is my config file for server ( /etc/openvpn/server.conf)

  1. port 1194
    proto tcp-server
    dev tun
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key  # This file should be kept secret
    dh /etc/openvpn/keys/dh1024.pem
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    push "route"
    push "dhcp-option DNS"
    status openvpn-status.log
    log /var/log/openvpn.log
    log-append /var/log/openvpn.log
    verb 3
    plugin /usr/lib/openvpn/ login

/etc/init.d/openvpn start|stop|restart ( /var/log/openvpn.log to find the error during service boot )

My client.conf file

dev tun
proto tcp-client
remote 1194
ca keys/ca.crt ( the same file used for server)
verb 3

For Windows use openvpn-gui to connect to openvpn server and keep the name of conf as file.ovpn of openvpn/conf directory and before try connecting to the server must check whether dhcp client service is running on your windows machine otherwise route wont work.