OpenVPN client with user/pass authentication


#1

Hi,

I’m trying to use VyOS to create an OpenVPN tunnel to a VPN provider. Specifically PIA but the same question would apply to others like VyprVPN.

Providers like these two don’t create client certificates and instead have clients authenticate with a username/password.

I have a Ubiquity EdgeRouter Lite which I have used to configure a client connection and I am able to route traffic out through the VPN. Unfortunately, the performance is rather low because the hardware on the EdgeRouter Lite seems underpowered to encrypt data fast enough. Seeing how EdgeOS is a fork of Vyatta and VyOS is a fork of Vyatta, I’m hoping to run an instance of VyOS inside VMware on a powerful computer in my house to do the OpenVPN tunneling–at hopefully much faster speeds. If it works, I’ll have my EdgeRouter route traffic to VyOS which will route the data out through PIA.

This page describes how to easily configure a Ubiquity router to work with PIA. The important detail is that the config ends up with an entry like:

interfaces {
  [...]
  openvpn vtun0 {
    config-file /config/auth/pia/USEast.ovpn
  }
}

And the ovpn file looks like this:

client
dev vtun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /config/auth/pia/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /config/auth/pia/pw.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /config/auth/pia/crl.pem
route-nopull

Is it possible to do something similar with VyOS? I tried but wasn’t able to use config-file as a way to set up an OpenVPN client. I would be ok putting all these options into the VyOS configuration but the validation at configuration commit time is saying that I need a client certificate when using tls. I can only use auth-user-pass mode so I think this is going to end up as a feature request for VyOS.

Thoughts?


#2

Any update on this? Would like to know how to make this work.


#3

Any Update on this?


#4

Not specific to the use of OVPN files but I do this to permit use of VyprVPN through my VyOS 1.1.7 router.

This is just a note I left for myself.

For OpenVPN to work with VyprVPN edits are made to:

/opt/vyatta/share/perl5/Vyatta/OpenVPN/Config.pm

Code is commented out (using if(0) ) between Line 701 and Line 715 - this removes
a check when configuration is committed so that VyOS doesn’t complain about
tls cert-file and tls key-file.
This is also documented here: http://forum.goldenfrog.com/t/edgemax-support/644/6

And these are the commands I use to configure the connection.

set interfaces openvpn vtun0 firewall in name ‘VPN-IN’

set interfaces openvpn vtun0 firewall local name ‘VPN-LOCAL’
set interfaces openvpn vtun0 mode ‘client’
set interfaces openvpn vtun0 openvpn-option ‘–verb 3’
set interfaces openvpn vtun0 openvpn-option ‘–comp-lzo’
set interfaces openvpn vtun0 openvpn-option ‘–auth-user-pass /config/auth/secret.txt’
set interfaces openvpn vtun0 openvpn-option ‘–link-mtu 1542’
set interfaces openvpn vtun0 openvpn-option ‘–script-security 2’
set interfaces openvpn vtun0 protocol ‘udp’
set interfaces openvpn vtun0 remote-host ‘uk1.vpn.giganews.com
set interfaces openvpn vtun0 remote-port ‘1194’
set interfaces openvpn vtun0 tls ca-cert-file ‘/config/auth/ca.vyprvpn.com.crt’