(Semi-)Fix for Auth4OpenVPN - Win2008R2 / Win2012R2

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
OpenVpn Newbie
Posts: 9
Joined: Sat May 03, 2014 10:59 am

(Semi-)Fix for Auth4OpenVPN - Win2008R2 / Win2012R2

Post by iceh » Sat Dec 20, 2014 7:43 pm


I tried using Auth4OpenVPN for ADS authentication on a Window Server / Domain.

Auth4OpenVPN didn't work out of the Box for my 64bit Setup.

The crazy little thing - the script works fine when started in a cmd.exe shell :)

So I fooled around for a while, and came up with a solution.

The "auth-user-pass-verify" kills too much of the systems enviornment variables.

This variables have to survive, in order to make the COM/DCOM/OCX stuff that is used by Auth4OpenVPN
to work:

Code: Select all

LOCALAPPDATA, CommonProgramFiles, CommonProgramFiles(x86), CommonProgramW6432
There the steps what you have to do:

1) get Auth4OpenVPN from https://sites.google.com/site/amigo4life2/openvpn

2) do the configuration to Auth4OpenVPN.ini (beyond this little tutorial)

3) create a batchfile in C:\Program Files\OpenVPN\config named "Auth4OpenVPN-64bitWrapper.cmd"

4) put the follwing content into that file (I assume standard windows installation C:\ drive and default directories)

Code: Select all

set LOCALAPPDATA=C:\Users\%USERNAME%\AppData\Local
set CommonProgramFiles=C:\Program Files\Common Files
set CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
set CommonProgramW6432=C:\Program Files\Common Files
C:\Windows\System32\cscript.exe "C:\Program Files\OpenVPN\config\Auth4OpenVPN.vbs"
exit %errorlevel%
5) put the following lines into server.ovpn

Code: Select all

script-security 3
auth-user-pass-verify Auth4OpenVPN-64bitWrapper.cmd via-env

- we have a working Auth4OpenVPN
- OpenVPN kills too much of the enviornment varables of Windows (well it's stupid OS because it depends on that stuff)
- security is horrible! everything depends on "exit 1" of a silly stupid dos batch file
- I suggest something a lot of better then this for production enviornment.

Post Reply