Authentication and plugins
Apart from X.509 tools, OpenVPN provides a mechanism to use authentication plugins along with client connection scripts. It is possible to remove the requirement for client certificates using --client-cert-not-required
(deprecated in 2.4, removed in 2.5 in favor of --verify-client-cert
). In this case, authentication rests solely upon the --auth-user-pass-verify
option.
If --client-config-dir
is still desired without client certificates, you will need to leverage --username-as-common-name
. Of course, if you're going to require usernames and passwords, it is necessary to add the --auth-user-pass
option to all the client configuration files.
The --auth-user-pass-verify
script is the last in a long chain of scripts that are run. The majority of environment details are available to all of these scripts, including the CN. If you are troubleshooting problems with this script, ensure that the connection is not being killed due to logic in other script routines prior to reaching...