Hello there :) I've been frustrated about additional authentication options of OpenVPN server, so i wrote authentication server, which provides very flexible authentication. I also wrote authentication client, which connects to authentication server (via unix domain socket or tcp/ip) and verifies user credentials on authentication server. This authentication client can be used as --auth-user-pass-verify argument of openvpn server.
I also wanted to completely manage my vpn client accounts using LDAP directory, therefore i also wrote perl script, which can be used as --client-connect script for openvpn server to configure vpn clients at connect time, or can be used to dump client configuration to --ccd-dir. I also wrote openldap schema extension to simplify account management. However, openvpnClientConnectLDAP.pl is not limited to specified schema, becouse you can also use your own schema if you want. Provided schema alows you to set all openvpn configuration parameters that can be pushed to vpn client (~ 20)... ... and last... Becouse you want to manage your ldap server over web browser i also created vpn account template for phpldapadmin and small patch for it to make the magic work. Patch applies against version 1.0.2. Software is available as single package on my website: http://frost.ath.cx/software/openvpn_auth/ --- snip --- OpenVPN authentication server/client features * Very flexible authentication configuration * Chainable authentication backends. You can mix several authentication backends * Authentication server written in perl * Authentication server can run completely in chroot (recommended) * Authentication client written in C * Authentication client can run completely in chroot if OpenVPN server is chrooted * Supports almost all existing authentication backends. * Supported authentication backends: o LDAP o Kerberos5 (works also with Microsoft AD) o any SQL database supported by perl DBI driver o IMAPv4 server o POP3 server o plain file o SASL library o PAM library o Radius service o custom certificate validation algorithm. openvpnClientConnectLDAP features * Can be run as --client-connect script * Can be run as batch job to create per-client configuration files in --ccd-dir * Comes with it's own LDAP schema extension * Supports all options which can be pushed to client (21) * Supports TLS/SSL, SASL auth --- snip --- Testimonials (authentication server): - openvpn 2.0.9 (linux, 32bit) :: chrooted both openvpn and openvpn_authd - openvpn 2.1-rc1 (linux, 64bit) :: chrooted both openvpn and openvpn_authd - authenticating against microsoft 2003 AD (Krb5), openldap using TLS/SSL Testimonials (client connect script): - openvpn 2.0.9 (linux, 32bit) - openvpn 2.1-rc1 (linux, 64bit) Software has been tested with 32 and 64bit version of Openvpn (2.0.9 and 2.1-rc1). Anyone is welcome to try this software. Ofcourse any contributors (especially documentation) are welcome! Please send me feedback :) Best regards, Brane -- Brane F. Gračnar Sistemski administrator za UNIX okolje Interseek d.o.o., Stegne 31, SI-1000 Ljubljana e-mail > b...@interseek.si www.interseek.si, www.najdi.si
