OpenVPN outsources username/password credential checking via the auth-user-pass-verify
option. This program uses bcrypt to check passwords in a secure way.
Install bcrypt (on Arch this is python-bcrypt
, not python-py-bcrypt
), put auth.py
in /etc/openvpn/server/auth/
and
auth-user-pass-verify /etc/openvpn/server/auth/auth.py via-file
in server.conf
.
The bcrypt-hashed passwords are stored in auth/username.password
, where username
is the username and password
is literally the word password.
To generate the hash, use hash_pw.py
. hash_pw.py username
will write this hash to auth/username.password
.
Run gen_config.sh
to go through the motions of setting up a new user and making a configuration file for them.
It depends on easy-rsa and the CA installed on the same machine as the OpenVPN server, as well as a client_template.conf
file in /etc/openvpn/
. In the end, it'll produce all the credentials, save the hashed password and generate an .ovpn
file.
The whole point of this is to protect all the passwords from an attacker. However, the list of users is obviously unprotected.
It also prints some output, which should be disabled if running a minimal logging policy.