Auth user pass openvpn linux

OpenVPN on Linux: passing username and password in command line [closed]

Closed. This question is not about programming or software development. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

sudo openvpn --config /home/ipv/conf/ipvanish-CA-Toronto-tor-a09.ovpn 

Now, I have to enter my username, after that my password. How Can I pass those two params right as one command, so that I just use one command and the username/password are being passed automatically?

8 Answers 8

The previous answer didn’t work for me (still asked for username and password), what did work was putting your credentials in a file (pass.txt), like this

username@email.com password 

and calling openvpn with —auth-user-pass pass.txt .

Note that in some OpenVPN versions (e.g. OpenVPN 2.4.11) there is a bug where you have to first use —config and then —auth-user-pass or your auth file will be ignored without any warning.

So, here a complete example:

sudo openvpn --config /home/ipv/conf/ipvanish-CA-Toronto-tor-a09.ovpn --auth-user-pass pass.txt 

This does not work for me: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: auth-user-pass (2.4.4)

I was running into issues, but I got around this by including the line auth-user-pass in my .ovpn file (you can edit with a basic text editor).

The bug which needs —config to come before —auth-user-pass is still around (just had it on my Suse Leap 15.2) . Thanx for mentioning it, that saved my sanity 🙂

Following @Fluffy answer (unfortunately I don’t have enough reputation to comment)

There is a nice bash trick that can eliminate need for pass.txt file

openvpn . --auth-user-pass pass.txt 

please note the \n usage between username and password

This did not work for me: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: auth-user-pass (2.4.4)

You can use any program that makes sence inside the

Nice idea, but doesn’t work when called with sudo openvpn . ‘/dev/fd/63’: No such file or directory (errno=2)

The problem with the suggested solutions is that all of them are based on a plain text password.

I came up with the following bash script to solve the problem:

VPN_USER="your user name" VPN_PASSWORD="$(sudo kwallet-query -l secrets -r your_password)" CONFIG_FILE=/tmp/your_vpn.ovpn sudo bash -c 'openvpn --config '"$CONFIG_FILE"' --auth-user-pass <(echo -e "'"$VPN_USER"'\n'"$VPN_PASSWORD"'")' 

It queries the password manager (kwallet) to get the password. It also allows you to reuse existing configuration in CONFIG_FILE (just remove the --auth-user-pass entry from it if any)

Источник

Using alternative authentication methods

OpenVPN 2.0 and later include a feature that allows the OpenVPN server to securely obtain a username and password from a connecting client, and to use that information as a basis for authenticating the client.

To use this authentication method, first add the auth-user-pass directive to the client configuration. It will direct the OpenVPN client to query the user for a username/password, passing it on to the server over the secure TLS channel.

Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The OpenVPN server will call the plugin every time a VPN client tries to connect, passing it the username/password entered on the client. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure (1) or success (0) value.

Using Script Plugins

Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. For example:

auth-user-pass-verify auth-pam.pl via-file

will use the auth-pam.pl perl script to authenticate the username/password of connecting clients. See the description of auth-user-pass-verify in the manual page for more information.

The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scriptssubdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password, RADIUS, or LDAP authentication. auth-pam.pl is primarily intended for demonstration purposes. For real-world PAM authentication, use the openvpn-auth-pamshared object plugin described below.

Using Shared Object or DLL Plugins

Shared object or DLL plugins are usually compiled C modules which are loaded by the OpenVPN server at run time. For example if you are using an RPM-based OpenVPN package on Linux, the openvpn-auth-pam plugin should be already built. To use it, add this to the server-side config file:

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login

This will tell the OpenVPN server to validate the username/password entered by clients using the loginPAM module.

For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam.pl script:

• The shared object openvpn-auth-pam plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user nobody, group nobody, and chroot, and will still be able to authenticate against the root-readable-only shadow password file.
• OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine.
• C-compiled plugin modules generally run faster than scripts.

If you would like more information on developing your own plugins for use with OpenVPN, see the README files in the plugin subdirectory of the OpenVPN source distribution.

To build the openvpn-auth-pam plugin on Linux, cd to the plugin/auth-pam directory in the OpenVPN source distribution and run make.

Using username/password authentication as the only form of client authentication

By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated.

While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force username/password authentication only. On the server:

client-cert-not-required

Such configurations should usually also set:

username-as-common-name

which will tell the server to use the username for indexing purposes as it would use the Common Name of a client which was authenticating via a client certificate.

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.

Updates & Announcements

Cyber Shield Released

Cyber Shield protects you from cyber threats without requiring you to tunnel internet traffic. Turn Shield ON.

Release Notes 2.12.0

Access Server 2.12.0 comes with support for Data Channel Offload, a kernel accelerated method of encrypting/decrypting VPN traffic. It also allows setting unique global group subnets so routing in clustering mode is possible. Aside from this numerous fixes and improvements are included.

Access Server

Our popular self-hosted solution. Comes with two free connections. No credit card required.

CloudConnexa™

Cloud-delivered, as-a-service solution. Comes with three free connections. No credit card required.

OpenVPN is a leading global private networking and cybersecurity company that allows organizations to truly safeguard their assets in a dynamic, cost effective, and scalable way.

© Copyright 2023 OpenVPN | OpenVPN is a registered trademark of OpenVPN, Inc. |
CloudConnexa is a trademark of OpenVPN, Inc.

Источник