Using Alternative Authentication Methods
OpenVPN 2.0 and later include a feature that allows the OpenVPN server to securely obtain a username and password from a connecting client and use that information to authenticate the client.
To use this authentication method, first add the auth-user-pass directive to the client configuration. This directive directs the OpenVPN client to query the user for a username/password and pass it on to the server over the secure TLS channel.
Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The OpenVPN server will call the plugin every time a VPN client tries to connect, passing it the username/password entered on the client. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure (1) or success (0) value.
Use script plugins
Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. For example:
auth-user-pass-verify auth-pam.pl via-file
This will use the auth-pam.pl perl script to authenticate the username/password of connecting clients. See the description of auth-user-pass-verify in the manual page for more information.
The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password, RADIUS, or LDAP authentication. auth-pam.pl is primarily intended for demonstration purposes. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below.
Using username/password authentication as the only form of client authentication
By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed for the client to be authenticated.
While it is discouraged from a security perspective, it is also possible to disable client certificates and force username/password authentication only. On the server:
client-cert-not-required
Such configurations should usually also set:
username-as-common-name
This will tell the server to use the username for indexing purposes as it would use the common name of a client, which was authenticated via a client certificate.
Note
client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server that uses client-cert-not-required may remove the cert and key directives from the client configuration file but not the ca directive because it's necessary for the client to verify the server certificate.