When setting up OpenVPN with username/password (UP) authentication only, you need to disable certificate-based authentication while maintaining TLS encryption for the control channel. Here's why your initial attempt failed:
client-cert-not-requiredstill requires TLS certificates for encryption- The client still had certificate directives in its config
- No authentication plugin was specified on the server
Here's a working server configuration (server.ovpn) for UP authentication:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# Username/password specific settings
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
verify-client-cert none
username-as-common-name
client-cert-not-required
The corresponding client.ovpn file should look like this:
client
dev tun
proto udp
remote your.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3
# Authentication settings
auth-user-pass auth.txt
ns-cert-type server
Create auth.txt with this format (first line username, second line password):
myusername
mypassword
Security Note: Always set proper permissions on this file (chmod 600 auth.txt)
For production environments, consider adding:
# In server.ovpn
tls-version-min 1.2
reneg-sec 0
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
- Error: "TLS Error: TLS handshake failed" - Verify your ta.key is identical on server and client
- Authentication failures - Check PAM configuration on Linux or the auth-user-pass file path on Windows
- Connection drops - Ensure both ends use the same protocol (UDP/TCP) and port
When setting up OpenVPN, many developers want to simplify authentication by using just username/password instead of certificate-based authentication. This approach reduces certificate management overhead while maintaining security through proper credential handling.
Here's a working server configuration that enables username/password authentication:
port 1194
proto udp
dev tun
ca "C:\\OpenVPN\\config\\ca.crt"
dh "C:\\OpenVPN\\config\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# Enable username/password auth
auth-user-pass-verify "C:\\OpenVPN\\config\\auth\\checkpsw.sh" via-env
client-cert-not-required
username-as-common-name
script-security 3
The client configuration needs these essential modifications:
client
dev tun
proto udp
remote your.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
comp-lzo
verb 3
# Username/password authentication
auth-user-pass auth.txt
You'll need a simple script to verify credentials. Create checkpsw.sh:
#!/bin/sh
PASSFILE="C:\\OpenVPN\\config\\auth\\psw-file"
LOG_FILE="C:\\OpenVPN\\config\\auth\\log.txt"
if [ ! -r "${PASSFILE}" ]; then
echo "Cannot open password file" >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "User not found" >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
exit 0
else
echo "Invalid password" >> ${LOG_FILE}
exit 1
fi
Create psw-file in your auth directory with username/password pairs (one per line):
username1 password1
username2 password2
While this setup works, consider these security enhancements:
- Use TLS authentication for additional security layer
- Implement rate limiting to prevent brute force attacks
- Consider using PAM authentication for better integration
- Regularly rotate passwords and monitor auth logs
If authentication fails, check:
- File permissions on all scripts and config files
- Windows path formatting (use double backslashes)
- OpenVPN server logs for specific error messages
- Firewall settings allowing the auth script execution