Openvpn password authentication
I am trying to connect an openvpn windows client to an openvpn server running on ubuntu. VPN works fine when using certificate-only authentication. But when trying to authenticate using below script, I get below error on client:
Mon Jan 21 14:59:07 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jan 21 14:59:07 2013 AUTH: Received AUTH_FAILED control message
Mon Jan 21 14:59:07 2013 TCP/UDP: Closing socket
Mon Jan 21 14:59:07 2013 SIGTERM[soft,auth-failure] received, process exiting
vpn_user.sh is an executable file and is available in the server.conf file.
Any help is appreciated.
here is the authentication script:
#!/bin/sh
#vpn_user.sh
ALLOWED_USER="user1"
ALLOWED_PASS="password1"
echo "$username"
echo "$password"
if ["$username"=="$ALLOWED_USER"] && ["$password"=="$ALLOWED_PASS"]
then exit 0
fi
exit 1
server config:
#server.conf
port 1194
proto udp
dev tap0
client-cert-not-required
auth-user-pass-verify vpn_user.sh via-env
script-security 3
username-as-common-name
tmp-dir /dev/shm
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
Client configuration
client
dev tap
proto udp
remote 10.xx.xx.xx 1194
auth-user-pass
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
dh dh1024.pem
comp-lzo
verb 3
source to share
1. Injected script space is missing on line if
, it should be:
if [ "$username" == "$ALLOWED_USER" ] && [ "$password" == "$ALLOWED_PASS" ]
What is displayed when the script is executed? Here are my test examples:
# username=user1 password=password1 ./vpn_user.sh && echo "authentication OK" || echo "Authentication failed"
user1
password1
authentication OK
# username=user1 password=wrong-pass ./vpn_user.sh && echo "authentication OK" || echo "Authentication failed"**
user1
wrong-pass
Authentication failed
2. Also check server.conf
. You may need to put the full path to your script
This is an important section:
auth-user-pass-verify /full/path/to/vpn_user.sh via-env
script-security 3
3. Running chroot-ed can be difficult.
If you run openvpn under chroot, then your script should be visible in the chroot-ed process, and a wrapper for the script should also be available along with any required libraries. In this case, you need to chroot and test the script execution under the chroot.
It can be tricky and a quick solution for me was to write my own small program and compilation (as static - not needed for external libraries).
Exact instructions, sorce code, compilation command, etc. - must be available at:
http://openbsdsupport.org/openvpn-on-openbsd.html
or even better - try going directly to the relevant section:
http://openbsdsupport.org/openvpn-on-openbsd.html#AuthenticationVariant1simple
4. Openvpn clients must also be configured to use password authentication.
Check parameter in client config client-config.ovpn
password auth-user-pass
source to share
root @myserver: / var / www # cat / tmp / quickAuth.sh
#!/bin/bash
#vpn_user.sh
ALLOWED_USER="user"
ALLOWED_PASS="password"
echo "$username"
echo "$password"
echo $ALLOWED_USER
echo $ALLOWED_PASS
if [[ "$username" == "$ALLOWED_USER" && "$password"="$ALLOWED_PASS" ]]
then
exit 0
else
exit 1
fi
Client configuration
client
dev tun
proto udp
remote remote ip server 1194(server port)
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
auth-user-pass
comp-lzo
route xxx.xxx.xxx.xxx 255.255.255.255 the ip that i want to route throw the openvpn(if default was not made)
verb 3
Prb matters sh script
source to share