OpenVPN auth-user-pass-verify example

One of my recent task to enable authentication over OpenVPN. auth-user-pass-verify is one of the way (is it the only way?) to enable authentication OpenVPN. When user connects to VPN, the server will write the username and password to a temporary file then execute the script with the file path as argument, the exit code will be used to determine whether authentication is success or not. It is a weird protocol but it is how it works …

To enable authentication, you will need to change your openvpn config to:

script-security 2 # must be at least 2
auth-user-pass-verify your_script.sh via-file
username-as-common-name # without this openvpn will use cn in the certificate as username
duplicate-cn # you may need this if everyone is using same certificate

Make sure your script is executable. Below is an example bash script is as below

#!/bin/bash
readarray -t lines < $1
username=${lines[0]}
password=${lines[1]}
# Replace your own authentication mechanism here
if [[ "$password" == "bao" ]]; then
  echo "ok"
  exit 0
fi
echo "not ok"
exit 1

In the example, i simply check if the password is “bao” 😀 . You should replace with your own authentication. Also note that for security reason OpenVPN has some constraints on the username and password, check here for more detail.

Originally published at www.nqbao.com on February 2, 2017.