OpenVPN certificate OR plugin-auth-pam authentication
Configuring OpenVPN server, I can enable either certificate-based authentication or username/password authentication using openvpn-plugin-auth-pam
plugin, but not both at the same time.
I enable username/password authentication as follows:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
client-cert-not-required
username-as-common-name
But as soon as I add the following lines, my clients configured for certificate authentication stop working with the following messages in the log:
TLS Error: Auth Username/Password was not provided by peer
TLS Error: TLS handshake failed
Is there any way to not require username/password from clients that use certificate authentication?
OpenVPN does not support multiple concurrent authentication methods. The best solution for this, as mentioned in comments, is to run two instances of OpenVPN. It is more complicated to run it on the same box, but is definitely do-able.
However, there do seem to be some workarounds that may be suitable for your situation.
if you know which certificates require a password and which don't , then the answer is yes. use an 'auth-user-pass-verify' script on the server side to first verify the certificate DN (if you set --username-as-common-name as well then you will know the certificate common name inside the verify script automatically). if it's a certificate for which you know that a password was entered then use pam to verify the username/password. if you know the certificate did not include a password then have the script return '0' to allow access.
Note that there is no way of automaGically determining if the user typed in a certificate password or not - that's outside the openssl handshake and thus not known to the OpenVPN server.
Source: https://openvpn.net/archive/openvpn-users/2007-12/msg00179.html
You may also be able to federate your OpenVPN generated keypairs into a local LDAP server, and use the aforementioned script to authentication against LDAP with the provided certificate, or use the provided credentials given that no certificate was presented.