auth-user-pass in client openvpn file

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
aviator
OpenVpn Newbie
Posts: 2
Joined: Thu Feb 07, 2019 9:08 pm

auth-user-pass in client openvpn file

Post by aviator » Thu Feb 07, 2019 9:19 pm

Hello,

I am in the process of transitioning from passwordless to password-based authentication
using MFA. I have been able to successfully get everything done, but I would like to avoid
having to change everyone's client files and send them out again.

Is there anyway for openvpn server to let the client know that password authentication
is needed, so that the user-password dialog box is prompted on the client side, even if
"auth-user-pass" directive is missing the the client.ovpn file?

If not, I am just wondering why something like this was not included in the implementation,
during initial handshake. If the server needs password authentication, then let the client
know so it can display the dialog box. If not, needed it proceeds as usual. Why should there
be a dependency on the client side to have the "auth-user-pass" directive in it?

I would appreciate if someone knows about this and let me know.

Thanks,
--Harman

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5871
Joined: Fri Jun 03, 2016 1:17 pm

Re: auth-user-pass in client openvpn file

Post by TinCanTech » Thu Feb 07, 2019 9:52 pm

aviator wrote:
Thu Feb 07, 2019 9:19 pm
Is there anyway for openvpn server to let the client know that password authentication
is needed, so that the user-password dialog box is prompted on the client side, even if
"auth-user-pass" directive is missing the the client.ovpn file?
As far as I am aware, the client config file must have --auth-user-pass in order to use a password.

https://community.openvpn.net/openvpn/w ... i-userpass

aviator
OpenVpn Newbie
Posts: 2
Joined: Thu Feb 07, 2019 9:08 pm

Re: auth-user-pass in client openvpn file

Post by aviator » Mon Feb 11, 2019 11:55 pm

Thank you @TinCanTech - this just confirms what I had thought.

I was wondering if this would make for a good feature request. It seems to make perfect sense to me
for the server to tell the client upon initial contact whether or not the client needs to send userid and password?

This way the administrator does not have to update everyones ovpn client files, or tell them to edit
and add "auth-user-pass" directive. Seems like bigger organizations could definitely use it.

If there are other people who feel strongly about this - I will open up a feature request, if I can.

Thanks,
--Harman

Post Reply