Skip to content

Magnetic-Fox/OVPN-Access

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 

Repository files navigation

OpenVPN-Access

Introduction

The goal of this project is to provide very simple solution to make additional checks if user connecting to the OpenVPN server should have granted access or not. This script is intended to be used with OpenVPN configurations wanting credentials from connecting users. It can check if user having specific Common Name in the certificate should be allowed to connect using specific credentials provided.

Database with username and common name information

For this to work, simple database with one table (named user-cn) is needed. Table should contain at least these three columns in such configuration:

  • UserHash -> varchar(255) - SHA-256 hash of username
  • CertificateHash -> varchar(255) - SHA-256 hash of certificate's common name
  • AccessGranted -> tinyint(1) - boolean to (dis)allow access

How it works?

Very simple. Upon connection, OpenVPN executes this script as quick as connection is established and credentials are provided pushing needed information into the environment variables. This script reads information from environment variables, hashes username and certificate's common name and asks database if such information has been recorded and user should be allowed or not. Depending on result, script returns 0 (access granted) or 1 (access denied) to the OpenVPN, which establishes final connection or refuses.

Very important note

Keep in mind that this script is not the best security factor for the OpenVPN configuration! Proper configuration is still needed to work securely (trusted certification authority, strong cryptography, etc.)! Please use this script only for additional safety checks and definitely NOT as the only solution!

OpenVPN configuration notes

Only several options in configuration file are needed for this to work. However, consider reading some manuals/tutorials about them to better understand how they work and to provide much stronger security in Your configuration.

You will probably be interested in incorporating PAM plugin to check credentials with Linux user system (set to use openvpn group):

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

However, the most interesting part is here:

script-security 2
auth-user-pass-verify /etc/openvpn/scripts/checkAccess.py via-env

script-security has to be set to 2 to allow executing user scripts from OpenVPN. auth-user-pass-verify defines what script to call for allow/disallow user connection, which in fact executes this script.

And that's all. :)

Disclaimer

I've made much effort to provide here working code and solutions with hope they'll be useful and free from any bugs. However I can't guarantee anything. The software and solutions here are provided "AS IS" and I take no responsibility for anything. You're using them on Your own risk!

License

Free for personal use. You probably shouldn't use it comercially as this script is not so well tested to be intended to. However, if You still like to, please just ask me before.

Bartłomiej "Magnetic-Fox" Węgrzyn, 14th October 2025

About

Simple script adding additional safety tests to OpenVPN server configuration

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages