OpenVPN “auth-user-pass-verify” doesn’t provide password
I was trying to using OpenVPN’s auth-user-pass-verify option, which allows you to essentially build your own authentication mechanism for usernames/passwords. I had a very, very simply authentication script setup and was using the “via-env” method. I fought for at least an hour or two trying to figure out why my passwords weren’t being accepted, even when I changed the password down to being as simple as “a”. Turns out I was doing everything right, but getting shafted.
First thing you need to know is that when you use auth-user-pass-verify, you MUST also set script-security 3. Basically every example you can find on the net will show these two lines together. I’d also suggest adding client-cert-not-required and username-as-common-name (both are fairly self-explanatory).
The shafting I was getting is that the OpenVPN package for CentOS I had installed, the init script affixed “–script-security 2” to the launch command (you can check your own copy by starting the OpenVPN server and then running “ps -ax”, it will show the full command executed). Even though I had set my own script-security level, the init script via the command line took precedence to the config. The only solution is to edit the init script and hope it isn’t upgraded/overwritten later.
Sadly, very few people seem to username/password authentication with OpenVPN so there is very little documentation and very few mentions across the net.
Hi Jon very good info. I thought I’d add that in recent versions of OpenVPN such as 2.3-2.4 I used to use a script that would manually pass the env variables as arguments to a shell script but this no longer works. It is kind of weird and clunky but it does set them as env variables when calling the script and you can access them as $username and $password in a shell script without using them as arguments.
Cheers