1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Username/Password Authentication

Discussion in 'Tomato Firmware' started by Dagger, Jul 12, 2010.

  1. Dagger

    Dagger Networkin' Nut Member

    Init Script:
    Code:
    echo '#!/bin/sh
    user1="user1name"
    pass1="user1pass"
    test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
    exit 1' > /tmp/quickAuth.sh
    chmod 755 /tmp/quickAuth.sh
    VPN Server Custom Configuration:
    Code:
    script-security 3
    auth-user-pass-verify /tmp/quickAuth.sh via-env
    VPN Client Configuration:
    Code:
    auth-user-pass
    This is a quick-n-dirty way to implement username/password authentication with TomatoVPN. I use it in addition to TLS authentication, but you can use it as the only authentication method with two additional server directives (client-cert-not-required and username-as-common-name)... if you do, the client will only need the CA and not a CERT or KEY.

    I have not yet tried this with static key only, so that might be an option too.
     
  2. i1135t

    i1135t Network Guru Member

    Thanks! FYI, you missed the "test" prior to the pass1. It works great! I did have a question though, if you wanted multiple accounts to be available for authentication, how would you script that?
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    From the thread where Dagger and I were discussing all this, this is how I would do it:
    Code:
    #!/bin/sh
    pass=`awk "\\\$1 == \"${username}\" { print substr(\\\$0,length(\\\$1)+2) }" /tmp/openvpn-auth`
    test -n "$pass" && test "$pass" == "${password}" && exit 0
    exit 1
    Where /tmp/openvpn-auth is a file containing all of the user/pass entries as
    Code:
    user1 pass1
    user2 pass phrase2
    <etc>
    
    EDIT: Also, you should drop the "--" on the beginning of the custom config directives. That's only needed if you're passing them as command line arguments when starting OpenVPN.
     
  4. Dagger

    Dagger Networkin' Nut Member

    Test - Good catch, fixed...

    --'s - Good to know, thanks...

    The reason I did it this way as opposed to having the script and a username/password file is that I wanted a way to do it completely in the GUI. I'm just strange that way.

    To add another user using this method I would do this:

    Code:
    echo '#!/bin/sh
    user1="user1name"
    pass1="user1pass"
    user2="user2name"
    pass2="user2pass"
    test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
    test "$user2" = "${username}" && test "$pass2" = "${password}" && exit 0
    exit 1' > /tmp/quickAuth.sh
    chmod 755 /tmp/quickAuth.sh
     
  5. i1135t

    i1135t Network Guru Member

    Thanks for the effort guys... as always. Will see what works best for my setup.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    For a small number of users, I agree that that may be the better (to taste) approach. However, either way can be done all from the GUI:

    Code:
    echo '#!/bin/sh
    pass=`awk "\\\$1 == \"${username}\" { print substr(\\\$0,length(\\\$1)+2) }" /tmp/openvpn-auth`
    test -n "$pass" && test "$pass" == "${password}" && exit 0
    exit 1' > /tmp/quickAuth.sh
    chmod 755 /tmp/quickAuth.sh
    
    echo '
    user1 pass1
    user2 pass2
    user3 pass3
    user4 pass4
    <etc>
    ' > /tmp/openvpn-auth
    It just divides the code from the data, which makes it more maintainable.
     
  7. Dagger

    Dagger Networkin' Nut Member

    Thanks SgtPepperKSU... I hadn't thought of doing it that way...
     
  8. kenyloveg

    kenyloveg LI Guru Member

    Hi, SgtPepperKSU
    Would you consider to implement this stuff on your MOD's GUI?
    Thanks.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Planning on it. I just need to find time to work on it.
     
  10. htpcdude

    htpcdude Networkin' Nut Member

    Has this been implemented? If so, where get I get the mod?

    If not, can this script be expanded to have the passwords hashed? I am not technical enough to script this myself, but I saw an example on the dd-wrt openvpn wiki http://www.dd-wrt.com/wiki/index.php/OpenVPN.

    Thanks in advance,
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, not yet. It could be changed to use password hashes pretty easily, I think:
    Code:
    echo '#!/bin/sh
    pass=`awk "\\\$1 == \"${username}\" { print substr(\\\$0,length(\\\$1)+2) }" /tmp/openvpn-auth`
    test -n "$pass" && test "$pass" == "`printf ${password} | md5sum | awk '{print $1}'`" && exit 0
    exit 1' > /tmp/quickAuth.sh
    chmod 755 /tmp/quickAuth.sh
    
    echo '
    user1 hashedpass1
    user2 hashedpass2
    user3 hashedpass3
    user4 hashedpass4
    <etc>
    ' > /tmp/openvpn-auth
     
  12. moonbug

    moonbug Serious Server Member

    What must be change in the code if one wants to use auth-user-pass-verify /tmp/quickAuth.sh via-file
    instead of auth-user-pass-verify /tmp/quickAuth.sh via-env

    Why does it not work if using /tmp/quickAuth.sh via-file?

    Thanks.
     

Share This Page