|
OPENVPN_BSDAUTH(8) |
OpenBSD System Manager's Manual |
OPENVPN_BSDAUTH(8) |
NAME
openvpn_bsdauth — Authenticate users for OpenVPN
SYNOPSYS
openvpn_bsdauth [file]
DESCRIPTION
openvpn_bsdauth is invoked by OpenVPN to authenticate a user by checking a username and a password against the BSD Authentication system. It supports both the
via-file and
via-env methods used by OpenVPN (see the section about the
auth-user-pass-verify directive in
openvpn(8) for the description of these methods).
As an addition to checking the username and the password, openvpn_bsdauth also requires that the user be member of the group named ‘_openvpnusers’ for the authentication to succeed.
EXAMPLES
Authenticate exchanging information with OpenVPN via environment variables:
auth-user-pass-verify !!PREFIX!!/libexec/openvpn_bsdauth via-env
Authenticate exchanging information with OpenVPN via a temporary file (see CAVEATS below):
auth-user-pass-verify !!PREFIX!!/libexec/openvpn_bsdauth via-file
DIAGNOSTICS
openvpn_bsdauth logs diagnostic and informational messages to the system log using the LOG_AUTH facility.
AUTHORS
Tamas Tevesz <ice@extreme.hu>
CAVEATS
If OpenVPN is run as the non-privileged ‘_openvpn’ user (which is recommended) in conjunction with the
via-file method, the ‘tmp-dir’
openvpn(8) directive
must be set to point to a directory that is writeable
only by the ‘_openvpn’ user.
For OpenVPN versions 2.1 and up, the ‘script-security’ directive must be set to (at least) ‘3’ in order for openvpn_bsdauth to receive the password from OpenVPN.