OpenVPN is a widely used software solution for creating secure point-to-point or site-to-site connections. While the most common authentication method is using certificates, there are situations where using a username/password authentication can be more convenient. This article will guide you through the process of setting up a user/password authentication on your OpenVPN server.
To set up user/password authentication on your OpenVPN server, you need to modify the server configuration file by uncommenting or adding specific lines. You also need to create an authentication script that checks the username and password provided by the client. Finally, restart the OpenVPN server for the changes to take effect.
Before we begin, make sure that you have root or sudo access to your OpenVPN server. You should also have a basic understanding of how to use a command-line text editor like nano or vim.
OpenVPN Server Configuration
The first step in setting up user/password authentication is to modify the OpenVPN server configuration file. This file is usually located at
/etc/openvpn/server.conf. Open this file with your preferred text editor:
sudo nano /etc/openvpn/server.conf
In this file, you’ll need to uncomment or add the following lines:
# Uncomment this line to enable username/password authentication.
# Please note that this method is less secure than certificate authentication.
auth-user-pass-verify /path/to/auth-script via-env
auth-user-pass-verify directive tells OpenVPN to use an external script for authentication. The
via-env option indicates that the username and password will be passed to the script via environment variables.
auth-user-pass-optional directive is optional and it allows clients to connect without a username and password. If you want to enforce username/password authentication, do not include this line.
After making these changes, save the file and exit the text editor.
Creating the Authentication Script
Next, you’ll need to create an authentication script. This script will be called by OpenVPN when a client attempts to connect. You can use any scripting language you prefer, but for simplicity, we’ll use a Bash script in this example.
Create a new file for the script:
sudo nano /path/to/auth-script
Here is a simple example of what the script could look like:
# Retrieve the username and password from environment variables
# Perform your authentication logic here
# For example, you can check against a database or a user file
# Return 0 if authentication is successful, 1 otherwise
if [ "$username" == "your_username" ] && [ "$password" == "your_password" ]; then
This script retrieves the username and password from the command-line arguments (
$2), and then checks if they match a predefined username and password. If the credentials match, the script exits with a status code of 0, indicating a successful authentication. Otherwise, it exits with a status code of 1, indicating a failed authentication.
"your_password" with the actual username and password you want to use.
Once you’ve written your script, save the file and exit the text editor.
Next, make the script executable with the following command:
sudo chmod +x /path/to/auth-script
Restarting the OpenVPN Server
The final step is to restart the OpenVPN server so that the changes take effect:
sudo systemctl restart openvpn
You have now set up user/password authentication on your OpenVPN server. Keep in mind that this method of authentication is considered less secure than certificate-based authentication. It is recommended to use certificate authentication whenever possible, and to use a secure method for storing and transmitting usernames and passwords.
For more information on OpenVPN configuration, you can refer to the OpenVPN manual.
Yes, you can use any scripting language you prefer for the authentication script. Just make sure to modify the script accordingly and specify the correct interpreter in the shebang line at the beginning of the script.
If the authentication script returns an error, OpenVPN will reject the connection attempt. It is important to ensure that your authentication script is functioning correctly and returns the appropriate exit codes for successful and failed authentication.
To add multiple usernames and passwords for authentication, you can modify the authentication script to include multiple checks or perform a lookup against a database or user file. You can add additional if statements or database queries to match the provided username and password against the stored credentials.
Yes, you can choose a different location for the authentication script. Just make sure to update the
auth-user-pass-verify directive in the OpenVPN server configuration file to point to the correct path of the script.
Yes, it is possible to use both certificate-based authentication and user/password authentication together. You can configure OpenVPN to require both forms of authentication by including the appropriate directives in the server configuration file. However, keep in mind that this may add complexity and potentially reduce security if not implemented correctly.