Using AUTH_NULL for custom authentication

Custom Authentication Scripts for OpenVPN Access Server

By default, you can use the OpenVPN Access Server Admin Web UI to set up Local, PAM, LDAP, and RADIUS authentication. As an additional measure you can write a custom Python script with a post-auth authentication hook that runs during an authentication session. An example scenario for using a post-auth script is when a user tries to sign in to your Access Server using the default authentication methods. If the initial authentication attempt is successful, the post-auth script runs. The post-auth script has the right to block or allow the authentication attempt based on additional authentication requirements.

Below is a proof-of-concept script written in Python. You can use the script to implement a custom authentication system. The script is designed to use the AUTH_NULL parameter to disable the built-in primary authentication methods. This means that the Access Server accepts all username and password combinations and passes them directly to the post-auth script, which must assume full responsibility for authentication.

By using this script, you can create a custom solution for authentication using your own system rather than one that uses PAM, LDAP, or RADIUS.

Note: You can’t add a challenge/response script for connections that require autologin accounts. A server is an example of a client that uses autologin accounts. Servers are often unattended and are issued special certificates that allow automatic authentication instead of a username/password combination.

Install or update the script

Steps:

  1. Sign in to your OpenVPN Access Server with root privileges through SSH or the server console.
  2. On your OpenVPN Access Server, download the script download from: https://swupdate.openvpn.net/scripts/post_auth_custom_auth.py Or, you can retrieve the file directly onto your server as root with this command:
wget https://swupdate.openvpn.net/scripts/post_auth_custom_auth.py -O /root/customauth.py
  1. Save the file using a file name of your choice. This example uses customauth.py as the file name, and the example file path is /root/customauth.py.
    • Note that if you have problems downloading the script, you may need to install/update the wget and/or ca-certificates package(s) on your system.
  2. Once you have retrieved the file, you can load the script and reload Access Server:
cd /usr/local/openvpn_as/scripts
./sacli -k auth.module.post-auth_script --value_file=/root/customauth.py ConfigPut
./sacli start
  1. After you've made your edits to the customauth.py file, use the commands listed in Step 4 to load the new version of the script into the configuration database and reload the new Access Server configuration.

Set up custom authentication

Once you use AUTH_NULL in your script, you must configure the credential step, or authcred. AUTH_NULL disables the primary authentication method, allowing you to replace it with your custom method.

By default, the script implements an extremely basic check. Examine the file to see which credentials are allowed to establish a connection. Python allows you to further expand on this custom script to connect it to external databases or processes that can be called upon to verify authentication.

Uninstall the script

Your post-auth script is loaded into the configuration database, and can be uninstalled with these commands:

cd /usr/local/openvpn_as/scripts
./sacli -k auth.module.post-auth_script ConfigDel
./sacli start