sqlite authentication plug-in for OpenVPN

This is an authentication plug-in for OpenVPN. It uses sqlite database for ID/Password authentication. It is python script, so you can modify this script as necessary.

Usage

Setting up the credentials database

You have to create sqlite database that stores the login credentials. In the sample database, there is a table that is called "Users". This table contains "UserId" field, "Password" field and "Active" field. You can modify auth-sqlite.py script to use other table and/or fields.

UserId	Password ※	Active
gonbe	naisho#0023	1
jdoe	Da-reMO_shiRANA1	1
haruka	QueenS#1*2	1
hide	monkey%55!	0

• You need to store the hashed password instead of plain password. We use RIPEMD160 as message digest algorithm.

Place the plug-in script and database file

Place auth-sqlite.py and vpnusers.db(you may change the filename) in the appropriate directory. Usually you can place it in /etc/openvpn. Make sure this script has a execute permission.

Edit the server configuration file

Add these directives to your OpenVPN server configuration file. You may remove client-cert-not-required directive.

script-security 2
client-cert-not-required
username-as-common-name
setenv auth_sqlite_db /etc/openvpn/vpnusers.db
auth-user-pass-verify /etc/openvpn/auth-sqlite.py via-file

Please change the path in setenv directive and auth-user-pass-verify directive as needed.

Connect

Try to connect to the server. Before you connect to the server, you have to add auth-user-pass directive to your client configuration file. You can use  vpnux Connector Lite as OpenVPN client.

Source code : auth-sqlite.py

#!/usr/bin/python
import os
import sys
import hashlib
try:
    import sqlite3
except:
    from pysqlite2 import dbapi2 as sqlite3

## Read settings from config
sqlite_file = os.environ["auth_sqlite_db"]
print "[auth-sqlite] sqlite_file : " + sqlite_file

## Read username and password from via-file
filename = sys.argv[1]
print "[auth-sqlite] filename : " + filename
fp = open(filename)
data = fp.readlines()
fp.close()
username = data[0].rstrip()
password = data[1].rstrip()
print "[auth-sqlite] username : " + username
print "[auth-sqlite] password : " + password
h = hashlib.new("ripemd160")
h.update(password)
hashedPassword = h.hexdigest()
print "[auth-sqlite] hashedPassword : " + hashedPassword

## Connect and fetch from database
vals = (username, hashedPassword)
conn = sqlite3.connect(sqlite_file)
cur = conn.cursor()
cur.execute('SELECT count(*) FROM Users WHERE UserId = ? AND Password = ? AND Active = 1', vals)
row = cur.fetchone();
targetRows = row[0]
conn.close()

print targetRows

## Return result
if(targetRows == 1):
 print "[auth-sqlite] Authentication succeed."
 sys.exit(0)
else:
 print "[auth-sqlite] Authentication failed."
 sys.exit(1)

sys.exit(1)