openvpn auth-user-pass-verify 的验证脚本

在使用openvpn的时候,一般都是使用key来做验证的,不过最近有人要使用用户名和密码验证,所以就到openvpn网站寻找到 auth-user-pass-verify 解释如下:

--auth-user-pass-verify script method
Require the client to provide a username/password (possibly in addition to a client certificate) for authentication.
OpenVPN will execute script as a shell command to validate the username/password provided by the client.
If method is set to "via-file", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to script, and the file will be automatically deleted by OpenVPN after the script returns. The location of the temporary file is controlled by the --tmp-dir option, and will default to the current directory if unspecified. For security, consider setting --tmp-dir to a volatile storage medium such as /dev/shm (if available) to prevent the username/password file from touching the hard drive.
The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, or a failure code (1) to reject the client.


密码在服务端存储使用htpasswd创建的文件,客户端那只能是明文了,脚本如下(要安装passlib包)<!-- more -->

import sys,os
from passlib.apache import HtpasswdFile
def v1(f1,u1,p1):
        f = open(f1,"r")
    except IOError:
        print 'Unable to open htpasswd files!'
    ht = HtpasswdFile(f1)
    if ( ht.verify(u1,p1) ):
        print "username&passwd verify success!"
        print "username&passwd verify not success!"
def main():
    htpassf1 = sys.argv[1]
    verifyf2 = sys.argv[2]
    if os.path.exists(verifyf2) and os.path.exists(htpassf1):
        f3 = open(verifyf2,"r")
        user1 = "".join(
        pass1 = "".join(
        print 'Unable to open verifypassword files!'
if __name__ == '__main__':
    if ( len(sys.argv) != 3 ):
        print "please usage PasswordFile VerifyPasswordFile\n"

openvpn server 如下配置

script-security 3 system
auth-user-pass-verify "/opt/openvpn/ /opt/openvpn/testht1.dw" via-file

openvpn client 如下配置

auth-user-pass testpass #testpass为客户端存储用户和密码的


--auth-user-pass [up]
Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in win/
If up is omitted, username/password will be prompted from the console.
The server configuration must specify an --auth-user-pass-verify script to verify the username/password provided by the client.