Skip to content

Latest commit

 

History

History
56 lines (40 loc) · 2.06 KB

README.md

File metadata and controls

56 lines (40 loc) · 2.06 KB

Openvpn User Manager with 2FA

This is a php program to manage openvpn accounts (login/password) with 2FA / TOTP management.

License: GPL-v3+ Copyright: 2018-2020 Benjamin Sonntag for Octopuce

Installation

  • install a php7.2+ with sqlite3 and imagick (on debian use apt install php7.2-cli php7.2-fpm php7.2-sqlite3 php7.2-imagick )
  • point an HTTPS vhost of your webserver into pub/ folder (using apache & mod-php or nginx & fpm)
  • fill config.php if needed (use config.sample.php as a template, the configuration directory MUST be writable by the PHP Unix user)
  • launch composer update at the root of the repository to download the dependencies
  • launch php init.php to initialize an administrator account
  • your interface is now available, use the check.php php script into your openvpn configuration to check a username/password
  • for openvpn conf, see server.conf, server.up.sh and client.conf sample, use easy-rsa to manage your own pki)
  • launch cron-update.php regularly (every 5 minutes minimum recommended) to update the configuration file for OpenVPN (useful for big installations)

easy-rsa setup

apt install easy-rsa
make-cadir /etc/openvpn/pki
cd /etc/openvpn/pki

edit vars :

set_var EASYRSA_KEY_SIZE 3072 set_var EASYRSA_CA_EXPIRE 7200 set_var EASYRSA_CERT_EXPIRE 3650

initialize the CA:

  • ./easyrsa init-pki
  • ./easyrsa build-ca (type a password for your CA, 2 times)
  • ./easyrsa gen-dh
  • ./easyrsa build-client-full client
  • (type a new client password 2 times then the CA password)
  • openssl rsa -in pki/private/client.key -out pki/private/client.unprotected.key
  • (retype previous client password)
  • ./easyrsa build-server-full server
  • (type a new server password 2 times then the CA password)
  • openssl rsa -in pki/private/server.key -out pki/private/server.unprotected.key
  • (retype previous server password)
  • openvpn --genkey --secret /etc/openvpn/pki/ta.key

Now you can fill your openvpn client.ovpn and server.conf configuration files as stated inside them. search for --- or {}