I've been using Shibby's build of Tomato (64k NVRAM version) on my Asus N66U router in order to run an OpenVPN server.
I'm curious whether it's possible to setup this OpenVPN server to require both a certificate AND a username/password before a user is allowed access.
I noticed there's a "challenge password" entry when filling out the certificate details, but everyone says to leave it blank "or else"; I have no idea why, and I can't find an explanation. In addition, I've Google'd this issue a bunch and have noticed people talking about a PAM module for OpenVPN in order to authenticate via username/password, but that appeared to be an either/or option; in other words, I can force authentication via username/password OR certificate. I want to require both.
Is this possible? If so, how?
Best Answer
The OpenVPN feature you're looking for, which will allow the server to authenticate clients based on both their certificate and a credential, is
auth-user-pass-verify. This feature allows the server to pass the username/password provided by the remote user to a script that performs the authentication. At that point you can validate the credentials against anything you want-- PAM, RADIUS, LDAP, smoke signals, etc.I know nothing about the "Tomato" firmwares so I'm not even going to attempt to give you a step-by-step here. I did some quick searching and I suspect you could use the OpenVPN "Custom Configuration" option to include a
auth-user-pass-verifyreference. You'll need a script to perform the authentication.Do some searching and I suspect you'll find "Tomato"-specific references.