Runs an external script to decide whether to authenticate a user or not. Useful for checking 2FA on VPN auth attempts as it doesn't block the main openvpn process, unlike passing the script to --auth-user-pass-verify
flag.
The idea of the plugin is to do as little as possible, and let the external binary do all the heavy lifting itself.
Compile the shared library with make plugin
and copy openvpn-plugin-auth-script.so
into your lib/openvpn/plugins/
folder.
Copy your external script onto the machine in a sane place, making sure it's executable by the user openvpn is running as.
Configure the plugin in your openvpn config, passing the path to the external script as the second argument:
plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh
The plugin will also pass any strings provided after the script name as arguments to the script execution:
plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh arg1 arg2 argN
The script used to handle authentication has a very specific set of skills it needs, and if you don't provide those it will hunt you down in silence.
It needs to:
username
and password
from the ENV
to check themauth_control_file
from the ENV
and write a single character to that path to signify auth success/failure
1
to the file0
to the filePATH
variable (eg, don't use /usr/bin/env
in shebang)Example env the script is called in:
PWD=/
SHLVL=0
auth_control_file=/tmp/openvpn_acf_9090e6750844ee26d7f23efbad0e95c2.tmp
config=/opt/local/etc/openvpn/testvpn.conf
daemon=1
daemon_log_redirect=0
daemon_pid=10502
daemon_start_time=1488892554
dev=tun0
dev_type=tun
ifconfig_local=192.168.2.1
ifconfig_remote=192.168.2.2
link_mtu=1572
local_port_1=1194
password=b
proto_1=tcp-server
redirect_gateway=0
remote_port_1=1194
route_gateway_1=192.168.2.2
route_netmask_1=255.255.255.0
route_network_1=192.168.2.0
route_vpn_gateway=192.168.2.2
script_context=init
tun_mtu=1500
untrusted_ip=192.168.3.4
untrusted_port=54357
username=a
verb=9
If you're using static-challenge
, you might wonder where the response value is in the env hash. See the OpenVPN management-notes docs for more info, but it's passed as part of the password.
The format in the env password value is SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>
See LICENSE.