openvpn: auth-user-pass or (and?) passphrase?

Solution 1:

The two different passwords, although similar in what the user does see, are completely different in what they protect.

The private key password is the decryption key to the user's private key, introducing security for data-at-rest situations. It can be changed and removed by the user at her liking, provided she is familiar with x.509 certificate and private key handling. It should be noted that in the best of all worlds, you as the VPN gateway operator would not have any knowledge of the user's private keys and their passwords as those would be generated and maintained by the users themselves.

The auth-user-pass directive is querying a username/password combination for OpenVPN access. It is comparable to what XAuth does for IPSec - using it OpenVPN can be integrated with external authentication services like RADIUS, LDAP or PAM. This can be used to mitigate "stolen private key" incidents, but more likely it is ending up as the sole method of authentication in most installations so OpenVPN could run entirely without client certificates (with the client-cert-not-required option) and provide some single-sign-on functionality for VPN dialup road warriors.

Whether one of the options is "better" than the other depends heavily on what actually you are doing and what you want to accomplish.