Blog | G5 Cyber Security

VPN HTTP Authentication

G5 Cyber Security

TL;DR

This guide shows you how to set up basic username/password authentication for your VPN using HTTP. It’s a simple way to add security, but not as strong as more advanced methods like certificates. We’ll cover the configuration steps on both the server and client sides.

Setting Up HTTP Authentication

  1. Choose an Authentication Method: There are several ways to handle HTTP authentication. The most common is Basic Authentication, which sends credentials encoded in Base64. While easy to set up, it’s not secure over unencrypted connections (like standard HTTP). We’ll focus on this for simplicity but strongly recommend using HTTPS alongside it.
  2. Server Configuration (OpenVPN Example): This example uses OpenVPN, but the principles apply to other VPN servers. You’ll need root access.
    • Edit your OpenVPN server configuration file (e.g., /etc/openvpn/server.conf).
    • Add a script that handles authentication. A simple example using PAM (Pluggable Authentication Modules) is shown below: 
      script-security 2
auth-user-pass /etc/openvpn/auth.txt
plugin /usr/lib/openvpn/openvpn-plugin-down-root.so
    • Create the auth.txt file (e.g., using htpasswd): 
      htpasswd -c /etc/openvpn/auth.txt username1
htpasswd /etc/openvpn/auth.txt username2

      This will prompt you for passwords.

    • Restart the OpenVPN service: 
      sudo systemctl restart openvpn@server
  3. Client Configuration: The client needs to be configured to send credentials with each connection attempt. This is usually done in the client configuration file.
    • Edit your OpenVPN client configuration file (e.g., client.conf).
    • Add these lines: 
      auth-user-pass
remote your_server_ip 1194
proto udp
dev tun

      The auth-user-pass directive tells the client to prompt for username and password.

  4. Testing the Connection:
    • Start your OpenVPN client. It should now ask you for a username and password.
    • Enter the credentials you created in step 2.
    • Check the server logs (e.g., /var/log/syslog) to confirm successful authentication. 
      grep 'AUTH_USER_PASS' /var/log/syslog
  5. Security Considerations:
    • HTTPS is Crucial: Always use HTTPS to encrypt the connection between the client and server. Without it, your credentials are sent in plain text.
    • PAM Integration: Using PAM allows you to integrate with existing system authentication mechanisms (e.g., LDAP, Active Directory).
    • Two-Factor Authentication: Consider adding two-factor authentication for increased security.
    • Regular Password Changes: Enforce regular password changes.
Exit mobile version