Mobile clients. You can download the official OpenVPN client for your iPhone, iPad, or Android device, or you can use a third-party app. You will need to copy the certificates, key, and configuration files to your mobile device and import them into the client in a similar manner to the Windows and Mac client setups.
Adding username and password authentication
Our current OpenVPN server configuration allows for multiple clients to use the same certificate to authenticate to the server. Thus, you can install a client on any system and copy those files over, as well as connect to your VPN. However, you may want to add extra security by requiring a username and password every time anyone tries to connect to the VPN. We can do that by changing a few configuration lines in the server and client configuration files, and adding users to our VPS.
First, we need to modify the server's configuration. In our SSH session, we need to edit the /etc/openvpn/vpnserver.conf file:
root@localhost:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn
root@localhost:/etc/openvpn # nano vpnserver.conf
Then we need to add the following line to the file. The placement doesn't matter, but you might want to add it after the client-to-client line:
plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
Save the file (Ctrl-O) and exit Nano. Then restart the service:
root@localhost:/etc/openvpn # service openvpn restart
Now, we need to create some users. You can do this with the useradd command. We may not want these users to be able to SSH into the server, however, so we need to set their shell to nologin, as follows:
root@localhost:/etc/openvpn # useradd -s /usr/sbin/nologin myuser
Then set a password:
root@localhost:/etc/openvpn # passwd myuser
Enter the password twice.
Finally, we need to edit our client configuration, and simply add this line:
auth-user-pass
This will tell the client to prompt for a username and password. You may need to delete and reimport your client configuration into your OpenVPN client after making this change.
Note that this method of client authentication still requires the client certificate and is the most secure of all three methods.
Requiring only a username and password
If you do not want to require a client certificate to connect, but want to use only usernames and passwords, you can do so by adding this line to the vpnserver.conf file on the server:
client-cert-not-required
Then restart the service:
root@localhost:/etc/openvpn # service openvpn restart
This will cause the server to use a client certificate if it is presented, but it will allow a client to connect without a certificate if a valid username and password are used. Note that the ca.crt file is still required on the client side. (However, the two lines in our client configuration that specify the remote1.crt and remote1.key files can be removed.) It's important to note that you should have configured usernames and passwords as described above before making this change.
Though it may seem daunting, this entire OpenVPN configuration process shouldn't take more than 15 minutes from the time you log in to your new VPS to the time you make your first connection with your client. You can save the certificates, keys, and server configuration we created, as well as set up other VPN servers, or move your server to another provider and have a new server up and running in just a few minutes.
Then, any time you want to be sure that your traffic is encrypted from your location to your personal VPN server, just fire up your client and go.
This article, "How to roll your own VPN," was originally published at InfoWorld.com. Follow the latest developments in security, networking, and open source software at InfoWorld.com. Get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest business technology news, follow InfoWorld on Twitter.
