OpenVPN auth-user-pass-verify example

Bao Nguyen
Feb 2, 2017 · 1 min read

One of my recent task to enable authentication over OpenVPN. auth-user-pass-verify is one of the way (is it the only way?) to enable authentication OpenVPN. When user connects to VPN, the server will write the username and password to a temporary file then execute the script with the file path as argument, the exit code will be used to determine whether authentication is success or not. It is a weird protocol but it is how it works …

To enable authentication, you will need to change your openvpn config to:

script-security 2 # must be at least 2
auth-user-pass-verify your_script.sh via-file
username-as-common-name # without this openvpn will use cn in the certificate as username
duplicate-cn # you may need this if everyone is using same certificate

Make sure your script is executable. Below is an example bash script is as below

#!/bin/bashreadarray -t lines < $1username=${lines[0]}
password=${lines[1]}
# Replace your own authentication mechanism here
if [[ "$password" == "bao" ]]; then
echo "ok"
exit 0
fi
echo "not ok"
exit 1

In the example, i simply check if the password is “bao” 😀 . You should replace with your own authentication. Also note that for security reason OpenVPN has some constraints on the username and password, check here for more detail.


Originally published at www.nqbao.com on February 2, 2017.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store