A few more great things about OpenVPN:

1). The whole setup below can be duplicated on a separate server in less than an hour should a server crash

2). The second server does not require additional licensing

3). The UDP protocol can easily be switched to TCP 443 to get through pesky firewalls

4). Vista 64-bit works with the latest OpenVPN GUI

5). Log Files easily show all access by username

Two Factor Authentication for Free

RSA is a ripoff, they’re following in the footsteps of Microsoft and unfortunately many companies believe RSA is the only way to secure their network.

They’re wrong, and here’s why:

OpenVPN + Server Cert/Key + Pam Authentication Module = FREE two factor authentication.

First, let’s define two factor authentication: It’s nothing more than two requirements when you logon, tunnel or gain access to a network. For example you have a “pincode” or “password” that never changes. In addition you might have a key chain “token” that is constantly changing. Access requires both, and because the key chain token is always changing it becomes very difficult for the wrong person to gain access.

Little background on industry: The Citrix Access Gateway is probably the industry standard at providing a single factor authentication gateway for a small company. I’m guessing most companies concerned with security have something very similar. The gateway or “CAG” sits behind the companies firewall and accepts authentication requests. That’s the first factor, the second is generally a token like system requiring users to carry around a silly key chain. Why? If a user has a private certificate of authority AND a username/password access is still two factor.

What absolutely amazes me is that there are open source applications that can provide 2 factor authentication for FREE.

Here’s what a working OpenVPN server config looks like using PAM:

proto udp
;proto tcp
port 1194
dev tap
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
#Define the ip address for the tap0 virtual device
ifconfig-pool-persist /etc/openvpn/ipp.txt
#route to be established on the server
route-up “route delete -net”
route-up “route add -net tap0”

#Allow Clients to talk to one another

#Push the same ping to the server….
push “ping 10”
push “ping-restart 60”
push “route” #route to another subnet
push “route” #route to another
push “route” #route to one more
push “route” #route to and another
push “route” #route to some place
push “route” #route to northern US
push “route” #route to more north
push “dhcp-option DOMAIN” #push the DNS domain suffix

status-version 2
status /var/log/openvpn-status.log
verb 5
# Keep tunnel open with ping every 10 Seconds, restart ever 120 Seconds
keepalive 10 120

plugin /usr/share/openvpn/plugin/lib/ login

I’m going to skip a whole bunch of steps to get this working (see but if the server is running with the above configuration (with no errors) you’ll have a two factor authentication: 1). Using the signed Certificate of Authority and 2). The username/password on the Linux box access by the module above.

Win XP/Vista/32bit/64bit Client Setup:

1). Install OpenVPN GUI v1.0.3
2). Load the ca.crt and client.opvn file.

Here’s an example of the client.ovpn file:

dev tap

;proto tcp
proto udp
remote 1194 ( should be the public ip of the server)
resolv-retry infinite
ca ca.crt
verb 3
mute 20

Save yourself $10k or $20k, learn OpenVPN.