OpenVPN Virtual User Authentication

借助于PAM (pam_pwdfile.so), OpenVPN可以采用虚拟账号认证.

# 方法一
$ htpasswd -bc /etc/openvpn/passwd username password
Adding password for user username

# 方法二
$ openssl passwd -apr1 password
$apr1$upwTjzEn$iQbusczYUcxzIg3De17QM.

/etc/openvpn/passwd

username:$apr1$upwTjzEn$iQbusczYUcxzIg3De17QM.  

/etc/openvpn/server.conf

client-cert-not-required  
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn  

/etc/pam.d/openvpn

auth required pam_pwdfile.so pwdfile=/etc/openvpn/passwd  
account required pam_permit.so  

/etc/openvpn/client.conf

;cert client.crt
;key client.key
auth-user-pass secret.txt  

/etc/openvpn/secret.txt

username  
password  

Trouble shooting

$ journalctl -fu openvpn@server
Jul 25 13:55:09 centos openvpn[12447]: pam_pwdfile(openvpn:auth): couldn't open password file /etc/openvpn/passwd  
Jul 25 13:55:11 centos openvpn[12444]: 192.168.31.231:34595 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1  
Jul 25 13:55:11 centos openvpn[12444]: 192.168.31.231:34595 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so  
Jul 25 13:55:11 centos openvpn[12444]: 192.168.31.231:34595 TLS Auth Error: Auth Username/Password verification failed for peer

$ setenforce 0