lets make a separate direcoty for all plugin, any module configuration will go there. Its not required but just to keep things neat
mkdir -pv /etc/openvpn/plugin
1. Certificate
generate client certificate and keys
cd /etc/openvpn/easy-rsa/
source vars
./build-key client
Client Setup (Windows)
copy ca.crt,clien1.crt,client.key from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote dc1
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
; Set the name of the Windows TAP network interface device here
dev-node VPN
2. Pluggable Authentication Modules (PAM)
append following to /etc/openvpn/server.conf
line 2 mean that user uid must be greater than or equal to 500.
line 3 mean that user must be member of openvpn group. Create group if needed
now create user openvpn and group openvpn
useradd openvpn
setup the password for openvpn, I will set test just for the ease
passwd openvpn
Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN
Now try to connect from windows client using openvpn account, mine was working at this point so should yours
3. Freeradius
install packages
Note: To make this work, you want to make sure that none of the other authentication module is not in use so adjust /etc/openvpn/server.conf and comment any other modules
restart openvpn
/etc/init.d/openvpn restart
Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN
Note: To make this work, you want to make sure that none of the other authentication module is not in use so adjust server.conf and comment any other modules
Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN
ip tables rules to allow forwarding openvpn traffic to lan
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
at this point you should be able to talk to your lan via openvpn tunnel, try pinging your lan from windows client connected via openvpn
if everything work as expected then let make these rules apply on reboot as well, paste following in /etc/rc.loca right above exit 0 like
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE