The goal of this project is to provide very simple solution to make additional checks if user connecting to the OpenVPN server should have granted access or not. This script is intended to be used with OpenVPN configurations wanting credentials from connecting users. It can check if user having specific Common Name in the certificate should be allowed to connect using specific credentials provided.
For this to work, simple database with one table (named user-cn) is needed.
Table should contain at least these three columns in such configuration:
- UserHash -> varchar(255) - SHA-256 hash of username
- CertificateHash -> varchar(255) - SHA-256 hash of certificate's common name
- AccessGranted -> tinyint(1) - boolean to (dis)allow access
Very simple. Upon connection, OpenVPN executes this script as quick as connection is established and credentials are provided pushing needed information into the environment variables. This script reads information from environment variables, hashes username and certificate's common name and asks database if such information has been recorded and user should be allowed or not. Depending on result, script returns 0 (access granted) or 1 (access denied) to the OpenVPN, which establishes final connection or refuses.
Keep in mind that this script is not the best security factor for the OpenVPN configuration! Proper configuration is still needed to work securely (trusted certification authority, strong cryptography, etc.)! Please use this script only for additional safety checks and definitely NOT as the only solution!
Only several options in configuration file are needed for this to work. However, consider reading some manuals/tutorials about them to better understand how they work and to provide much stronger security in Your configuration.
You will probably be interested in incorporating PAM plugin to check credentials with Linux user system (set to use openvpn group):
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
However, the most interesting part is here:
script-security 2
auth-user-pass-verify /etc/openvpn/scripts/checkAccess.py via-env
script-security has to be set to 2 to allow executing user scripts from OpenVPN.
auth-user-pass-verify defines what script to call for allow/disallow user connection, which in fact executes this script.
And that's all. :)
I've made much effort to provide here working code and solutions with hope they'll be useful and free from any bugs. However I can't guarantee anything. The software and solutions here are provided "AS IS" and I take no responsibility for anything. You're using them on Your own risk!
Free for personal use. You probably shouldn't use it comercially as this script is not so well tested to be intended to. However, if You still like to, please just ask me before.
Bartłomiej "Magnetic-Fox" Węgrzyn, 14th October 2025