December 29, 2011

228 words 2 mins read

OpenVPN “auth-user-pass-verify” doesn't provide password

I was trying to using OpenVPN’s auth-user-pass-verify option, which allows you to essentially build your own authentication mechanism for usernames/passwords. I had a very, very simply authentication script setup and was using the “via-env” method. I fought for at least an hour or two trying to figure out why my passwords weren’t being accepted, even when I changed the password down to being as simple as “a”. Turns out I was doing everything right, but getting shafted.

First thing you need to know is that when you use

auth-user-pass-verify, you MUST also set script-security 3. Basically every example you can find on the net will show these two lines together. I’d also suggest adding client-cert-not-required and username-as-common-name (both are fairly self-explanatory).

The shafting I was getting is that the OpenVPN package for CentOS I had installed, the init script affixed “—script-security 2” to the launch command (you can check your own copy by starting the OpenVPN server and then running “ps -ax”, it will show the full command executed). Even though I had set my own script-security level, the init script via the command line took precedence to the config. The only solution is to edit the init script and hope it isn’t upgraded/overwritten later.

Sadly, very few people seem to username/password authentication with OpenVPN so there is very little documentation and very few mentions across the net.