Then, I read Using alternative authentication methods and tried to use username/password authentication. I added the following directives in Server.conf:
Code: Select all
verify-client-cert optional
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
Code: Select all
auth-user-pass
I could connect VPN successfully this way, without specifying user certificate and key.
Then, with this setup I tried to connect using another client which specify certificate and key files, without assigning username and password. This time it failed. The log said:
[olog]2022-01-05 13:31:27 us=212792 114.45.39.80:40776 TLS Error: Auth Username/Password was not provided by peer
2022-01-05 13:31:27 us=212796 114.45.39.80:40776 TLS Error: TLS handshake failed
2022-01-05 13:31:27 us=212825 114.45.39.80:40776 Fatal TLS error (check_tls_errors_co), restarting
2022-01-05 13:31:27 us=212829 114.45.39.80:40776 SIGUSR1[soft,tls-error] received, client-instance restarting[/olog]
Several documents showed how to use username/password scripts or plugins ONLY, with specifying
Code: Select all
verify-client-cert none
In the Reference Manual For OpenVPN 2.4 it said,
I thought that if I specify "optional" it should work like what I said, but seemed not. I wonder if it is possible to authenticate like what I describe above? i.e., if client provides certificate and key files then allow connecting; if not, authenticate with username and password.optional : a client may present a certificate but it is not required to do so. When using this directive, you should also use a --auth-user-pass-verify script to ensure that clients are authenticated using a certificate, a username and password, or possibly even both.