Openvpn custom authenticator

Openvpn gives you the possibility to configure your own authentication scripts. For an example I made a script that accepts both Yubikeys and Google Authenticators. I will show you the basics to set this up.

Compatible with: Ubuntu servers
Programming Language: Perl

Add this two lines to the /etc/openvpn/server.conf file and restart openvpn. Changing script-security will allow you to use an external scripts and auth-user-pass-verify is used to select the script.

script-security 3
auth-user-pass-verify via-env

client-cert-not-required (optional if you don't want to use certificates)

If a new connection is made to the Openvpn server the script will be run. There are two variable that are passed to the script. These are the username and password. If the scripts failes (with an exit 1;) the authentication request is denied. If the script is succesvol (with an exit 0;) the VPN session will be started.

I made a small script in perl to show how the script could look like.

my $username = $ENV{"username"};
my $password = $ENV{"password"};

if ($username eq "user1" && $password eq "correct") {
  exit 0;
  exit 1;

You can fill this up with your own code as long the script ends with an exit 0 or 1.