I wanted to make the access to my network easy but secure. Certificates are nice, but I still like username and password even more. You can use the following simple script to check for usernames/passwords.

Add this to the config on the server and set the right path for the script:

auth-user-pass-verify /path/to/your/script/verify.sh via-file

This line tells openvpn server to check for passed username and password by calling the script verify.sh and passing the username and password in a tmp file

Every client have to have this in its config file:

auth-user-pass

This just tells openvpn client to ask the user for username and password or s/he will not be able to log in. You can also use "--auth-user-pass" (instead of the line in the config file) on the command line.

This is a simple shell script called "verify.sh" which contains usernames and passwords in clear text. I wanted to encrypt passwords with "passwd", but command "passwd" is not available in dd-wrt (and I have no idea how dd-wrt encrypts root password for /etc/passwd). If someone knows how to encrypt passwords in dd-wrt, plese add it here.

[Edit by mrwizeman Aug 31 2009] Ok so I put it here... here is a way I came up with that make this work with an encrypted password, now, let me explain how it works, I hash the username and password and then add the hash to itself, and hash that 10 times everytime I add the hashes together, I got that idea from the author of the passwd we use Poul-Henning Kamp but he does it 1000 times...

You can easily change this script to hash it 1000 times, but I think 10 is enough it will take a bruteforce program forever to first hash the user and pass and then hash the hashes 10 times, just to find out if it matches, and besides the weak ass processor of the routers we use will take forever to check our credentials if we do it that way... so anyway here it is: you have to run it in telnet the first time to figure out what your hash is, then change that in your script, the hash in the script I paste here is user: test and pass: test

First the script to generate a hash for you:

#!/bin/sh

genhash() {
        echo You are generating a HASH for user: $1
        echo with the password                         : $2
        HASHPASS=`echo -n $1$2 | md5sum | sed s'/\  -//'`
        i=0
        while [ $i != 10 ]; do
            HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
            #echo [$i] HASHPASS=$HASHPASS
            i=`expr $i + 1`
        done
        echo HASHPASS=$HASHPASS
}
genhash $1 $2
 

Then the actual script for your check:

#!/bin/sh

HASH='1bbd7254581aaab10868ccfdc0860d68'
#echo HASH = $HASH
#echo param 1 = $1
#echo param 2 = $2

vpn_verify() {
        if [[ ! $1 ]] || [[ ! $2 ]]; then
            #echo "No username or password: $*"
            exit 1
        fi
        HASHPASS=`echo -n $1$2 | md5sum | sed s'/\  -//'`
        #echo HASHPASS = $HASHPASS
        #if [ $HASH == $HASHPASS ]; then
        #    echo MATCH!!
        #else
        #    echo NO MATCH!!!
        #fi
        i=0
        while [ $i != 10 ]; do
            HASHPASS=`echo -n $HASHPASS$HASHPASS | md5sum | sed s'/\  -//'`
            #echo [$i] HASHPASS=$HASHPASS
            i=`expr $i + 1`
        done
        #echo HASHPASS=$HASHPASS
        if [ $HASH == $HASHPASS ]; then
            #echo MATCH!!
            exit 0
        else
            #echo NO MATCH!!!
            exit 1
        fi
}
if [[ ! $1 ]] || [[ ! -e $1 ]]; then
     #echo "No file"
     exit 1
fi
vpn_verify `cat $1`
#echo "No user with this password found"
exit 1

I suck at shellscripting, so if somone spots any errors or want to add support for multiple users that would be cool...

Original authors script below, the one without encrypted pass:

#!/bin/sh
 
 ## format: username:password username:password ...
 ## you can even have same usernames with different passwords
 USERS='user1:pass1 user2:pass2 user3:pass3'
 
 ## you could put username:password in
 ## a separate file and read it like this
 #USERS=`cat file_with_users`
 
 vpn_verify() {
     if [[ ! $1 ]] || [[ ! $2 ]]; then
         #echo "No username or password: $*"
         exit 1
     fi
  
     ## it can also be done with grep or sed
     for i in $USERS; do
         if [[ "$i" == "$1:$2" ]]; then

             ## you can add here logging of users
             ## if you have enough space for log file
             #echo `date` $1:$2 >> your_log_file

             exit 0
         fi
     done
 }
   
 if [[ ! $1 ]] || [[ ! -e $1 ]]; then
     #echo "No file"
     exit 1
 fi
   
 ## $1 is file name which contains
 ## passed username and password
 vpn_verify `cat $1`
  
 #echo "No user with this password found"
 exit 1

You can delete all lines which begin with #. "echo" commands are here just for you to know what happens at that and they can be used for debugging.

This verification with the script does not work if openvpn is running in "daemon" mode. I have no idea what is the reason for that, probably some wrong interpretation of the output ("exit 0" means user/pass OK, everything else means user/pass NOT OK). Thats why I am running openvpn server as a background process and all output is going to /dev/null:

 openvpn --config openvpn.conf >/dev/null 2>&1 &

--Comma 23:53, 11 August 2008 (CEST)

I was getting the error

  
   openvpn_execve: external program may not be called due to setting of --script-security level
   

I had to add the following lines to my config file work in v24-SP2

  
   tmp-dir /tmp/openvpn
   script-security 3
   

Additionally, the ">/dev/null 2>&1 &" hack wouldn't work but running from the command line did. I resorted to using the /tmp/myvpn symlink as well as --daemon in the command line. All works now with out an interactive shell. --JoeM 23:28, 22 October 2008 (CEST)