Home / server / Questions / 417403
In Process
Ivan
Asked: 2012-08-15 07:11:37 +0800 CST

Can I use OpenVPN with a single secret password instead of a keys set?

  • 772

I am looking forward to create an as-simple-as-possible OpenVPN set-up.

I would like to use a single password to secure the communication instead of a set of key files.

How can I set it up this way?

vpn

3 Answers

  1. Yes, OpenVPN calls this the "static key" setup:

    http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

    Note the listed disadvantages:

    • Limited scalability -- one client, one server
    • Lack of perfect forward secrecy -- key compromise results in total disclosure of previous sessions
    • Secret key must exist in plaintext form on each VPN peer
    • Secret key must be exchanged using a pre-existing secure channel
    • 4

  2. To use password authntification from file, you should use this directives in server configuration file:

    • client-cert-not-required to allow authentification with user/password only
    • username-as-common-name to get common name from username, because it can't be taken from certificate
    • script-security 2 to allow calling external scripts
    • auth-user-pass-verify <script> <method> to force server ask for user/password. <script> is executable file used to check user/password pair. <method> is on of "via-env" and "via-file". Read manual about auth-user-pass-verify directive for details

    You should write script by yourself.

    • 4

  3. At least you need server certificate. Then you can use mysql backend for user/password management. You can read more here

    • 0