Openvpn password authentication

stdapsy picture stdapsy · Jan 21, 2013 · Viewed 17.6k times · Source

I am trying to connect openvpn windows client to openvpn server running on ubuntu. The VPN works fine when using 'certificate only' authentication, . But when trying to authenticate using below script, I am getting below error on the client:

Mon Jan 21 14:59:07 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 21 14:59:07 2013 AUTH: Received AUTH_FAILED control message
Mon Jan 21 14:59:07 2013 TCP/UDP: Closing socket
Mon Jan 21 14:59:07 2013 SIGTERM[soft,auth-failure] received, process exiting

The vpn_user.sh is an executable and accessible by the server.conf file.

Any assistance is appreciated.


here is the authenticating script:

#!/bin/sh
#vpn_user.sh

ALLOWED_USER="user1"

ALLOWED_PASS="password1"
echo "$username"
echo "$password"

if ["$username"=="$ALLOWED_USER"] && ["$password"=="$ALLOWED_PASS"]
    then exit 0
fi

exit 1

server configuration:

#server.conf
port 1194
proto udp
dev tap0

client-cert-not-required
auth-user-pass-verify vpn_user.sh via-env
script-security 3
username-as-common-name
tmp-dir /dev/shm

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3

client configuration

client
dev tap
proto udp
remote 10.xx.xx.xx 1194
auth-user-pass
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
dh dh1024.pem
comp-lzo
verb 3

Answer

Chris picture Chris · Oct 27, 2017

1. The script you have entered has missing spaces in if line, it should be:

if [ "$username" == "$ALLOWED_USER" ] && [ "$password" == "$ALLOWED_PASS" ]

What shows up when script is executed? Here are my examples of testing:

# username=user1 password=password1 ./vpn_user.sh && echo "authentication OK" || echo "Authentication failed"
user1
password1
authentication OK

# username=user1 password=wrong-pass ./vpn_user.sh && echo "authentication OK" || echo "Authentication failed"**
user1
wrong-pass
Authentication failed

2. Also check your server.conf. You may need to put the full path to your script

This is the important section:

auth-user-pass-verify /full/path/to/vpn_user.sh via-env
script-security 3

3. Chroot-ed execution may cause difficulties.

If you run openvpn under chroot - then your script needs to be visible under chroot-ed process, also shell for script needs to be available, together with any needed libraries. In such case you need to chroot and test execution of script under chroot.

This can be tricky and a quick solution for this for me was to write own small program and compile is (as static - no need for external libs).

Exact instructions, sorce code, compile instruction, etc. - should be still available at:

http://openbsdsupport.org/openvpn-on-openbsd.html

or even better - try to go directly to the related section:

http://openbsdsupport.org/openvpn-on-openbsd.html#AuthenticationVariant1simple

4. Openvpn clients also needs to be configured to use password authentication.

Verify the option in client's config client-config.ovpn

password auth-user-pass