This article describes the configurations needed to make OpenVPN Access Server work with AuthLite.

The OpenVPN Access Server (OpenVPN-AS) uses the username field to create and push configuration files. This means it cannot tolerate an AuthLite OTP in the username field by default. To work around this problem you can either:

  1. Use RADIUS PAP and enter credentials as follows:

    • Username in the Username field

    • Password and OTP together in the password field

  2. Use AuthLite 1.2.25 or later and add a "post auth" script to the VPN server to make it tolerate an OTP in the username field. This is accomplished by making the VPN software use the username returned by AuthLite as the canonical username for its internal operations.

The remainder of this article contains the steps needed to configure option #2.

  • From a shell on the VPN server, cd to /usr/local/openvpn_as/scripts
  • Create the file authlite.py, with the following contents:
      import json
      from pyovpn.plugin import *

      def post_auth(authcred, attributes, authret, info):

          if info.get('auth_method') in ('session', 'autologin'):
              return authret

          if 1 in info['radius_reply']:
              ul = info['radius_reply'][1]
              us = ''.join(ul)
              u = us.split("\\")[-1]
              authret['user'] = u

          return authret

  • Execute the following command, substituting your VPN admin username if it is not "openvpn":

     ./sacli -a openvpn -k auth.module.post_auth_script --value_file=authlite.py ConfigPut 
  • Execute the following command, substituting your VPN admin username if it is not "openvpn":

     ./sacli -a openvpn start 

Note that the script executes from a copy stored directly in the configuration database, NOT the .py file. So if you change the py file you need to ConfigPut it again in order for your changes to be picked up.

You can use the sacli command with the ConfigDel option if you need to remove the script.

See /usr/local/openvpn_as/doc/post_auth/post_auth.txt for more information.