Added: Oct 27 2009
Dual authentication – Adding username and password verification
If other people stolen a copy of client’s private key, they gain the access of the vpn server. That’s dangerous. So it is also worth to add another layer of authentication to keep the vpn server safe.
There are various different method could be added, most commonly used is PAM. I’ve tried PAM and figured out that it is a little bit trouble to get it works with openvpn. I need a simple username and password authentication solution.
I decided to use an open source plugin called ‘OpenVPN Auth Passwd‘ instead.
The plugin is simple, once it is installed, it will validate the username/password against the unix account of the system directly, without the need of another layer of password store like MYSQL, LDAP, active domain or whatever. The drawback of this is that you need to create an system account for every vpn user. But since I’m the only vpn user here, it won’t be a problem for me at all.
To get the plugin works, the first thing is to compile the source code to produce a binary plugin.
Cross Compile Method
Cross compile is to compile things on linux PC to produce working binary copy for the DS.
- Firstly, we need a linux environment. Since I don’t have any spare machine. I downloaded the free VMWare Player and installed on my Vista. Then I downloaded Ubuntu 9 ISO and installed to the virtual machine.
- Download the 3rd Party Integration Guide PDF from Synology website, follow the instruction to setup the compile compilatoin environment on your Ubuntu virtual machine.
- Download the source package of the plugin and upload to the Ubuntu VM
- Extract the plugin package
- Modify the Makefile and change the path of the gcc compiler to the compiler provided by Synology
- Run make
- A binary copy of the plugin will be generated in the same directory
Native Compile (compile on DS207+)
Native compile is to compile things directly on the NAS.
- telnet/ssh as root
# ipkg install gcc
# ipkg install make
- Download the plugin/openvpn as root* hyperlinks is changing from time to time, check the website for correct download links of the plugin and openvpn source package.
# cd # wget http://downloads.sourceforge.net/project/auth-passwd/openvpn-auth-passwd/1.1/openvpn-auth-passwd-1.1.tar.gz?use_mirror=nchc # wget http://openvpn.net/release/openvpn-2.1_rc20.tar.gz # tar xvzf openvpn-auth-passwd-1.1.tar.gz # tar xvzf openvpn-2.1_rc20.tar.gz
- Edit the make file
# This directory is where we will look for openvpn-plugin.h INCLUDE=-I/root/openvpn-2.1_rc20
- Ready to compile now, just type make
# cd ~/auth-passwd # make
- the plugin openvpn-auth-passwd.so will be generated in the auth-passwd directory
Once the package of Auth Password is compiled, the installation is pretty simple.
VPN Server Setup
- Upload the plugin to whatever directory, e.g. /opt/etc/openvpn/lib
- Edit the config file of VPN server.
# vi /opt/etc/openvpn/config/openvpn.conf
Add the following lines to the config file:
Update the script-security to 2
- Make sure the verb level is lower than 7, otherwise, the username and raw password will be logged in log files. Keep verb level to 7 or higher for debug only.
- Restart Openvpn server
VPN Client Setup
- Add the following line to the client’s config file
A popup window will be prompt to ask for username and password during connection.
For non-interactive environment (e.g. linux, TomatoVPN, it is not possible to input username/password manually. The solution is to create a plain text file to store the username and password and then add the following line to client’s configuration instead.
The format of the plain text file is simple:
First line: username
Second line: password