Linux – OpenVPN Python plugin

I'v found it! I forgot f***g option client-cert-not-required in server config.

If somebody is interested, during my research what's happening I wrote external script to check user though LDAP. No openvpn-auth-ldap is needed, but you need to install ldap-utils.

In server config:

script-security 2
auth-user-pass-verify ldap-check-user.sh via-env

ldap-check-user.sh:

#!/bin/bash

bind_dn="cn=<user>,cn=Users,dc=domain,dc=com"
bind_pass="<password>"
host=rserver
port=389

dn=`ldapsearch -x -D "$bind_dn" -w $bind_pass -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=radix-tools" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" "dn" | cut -d':' -f 2`

if [ $? != 0 ]; then
        echo "Error: user $username not found."
        exit 1
fi

ldapsearch -x -D "$dn" -w $password -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=domain,dc=com" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" > /dev/null 2>&1

if [ $? != 0 ]; then
        echo "Error: password for $username is incorrect."
        exit 1
fi

exit 0

OpenVPN does not support multiple concurrent authentication methods. The best solution for this, as mentioned in comments, is to run two instances of OpenVPN. It is more complicated to run it on the same box, but is definitely do-able.

However, there do seem to be some workarounds that may be suitable for your situation.

if you know which certificates require a password and which don't , then the answer is yes. use an 'auth-user-pass-verify' script on the server side to first verify the certificate DN (if you set --username-as-common-name as well then you will know the certificate common name inside the verify script automatically). if it's a certificate for which you know that a password was entered then use pam to verify the username/password. if you know the certificate did not include a password then have the script return '0' to allow access.

Note that there is no way of automaGically determining if the user typed in a certificate password or not - that's outside the openssl handshake and thus not known to the OpenVPN server.

Source: https://openvpn.net/archive/openvpn-users/2007-12/msg00179.html

You may also be able to federate your OpenVPN generated keypairs into a local LDAP server, and use the aforementioned script to authentication against LDAP with the provided certificate, or use the provided credentials given that no certificate was presented.