Configuring OpenVPN server, I can enable either certificate-based authentication or username/password authentication using openvpn-plugin-auth-pam
plugin, but not both at the same time.
I enable username/password authentication as follows:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
client-cert-not-required
username-as-common-name
But as soon as I add the following lines, my clients configured for certificate authentication stop working with the following messages in the log:
TLS Error: Auth Username/Password was not provided by peer
TLS Error: TLS handshake failed
Is there any way to not require username/password from clients that use certificate authentication?
Best Answer
OpenVPN does not support multiple concurrent authentication methods. The best solution for this, as mentioned in comments, is to run two instances of OpenVPN. It is more complicated to run it on the same box, but is definitely do-able.
However, there do seem to be some workarounds that may be suitable for your situation.
Source: https://openvpn.net/archive/openvpn-users/2007-12/msg00179.html
You may also be able to federate your OpenVPN generated keypairs into a local LDAP server, and use the aforementioned script to authentication against LDAP with the provided certificate, or use the provided credentials given that no certificate was presented.