OpenVPN 2.x can support loading and authenticating users through multiple plug-ins at the same time. But it can only support a single plug-in doing deferred authentication. However, a plug-in supporting deferred authentication may be accompanied by other authentication plug-ins not doing deferred authentication.
This is a test script useful to test the various combinations and order of plug-in execution.
The configuration files are expected to be used from the root of the build directory.
To build the needed authentication plug-in, run:
make -C sample/sample-plugins
-
Client config
verb 4 dev tun client remote x.x.x.x ca sample/sample-keys/ca.crt cert sample/sample-keys/client.crt key sample/sample-keys/client.key auth-user-pass -
Base server config (
base-server.conf)verb 4 dev tun server 10.8.0.0 255.255.255.0 dh sample/sample-keys/dh2048.pem ca sample/sample-keys/ca.crt cert sample/sample-keys/server.crt key sample/sample-keys/server.key
This tests the basic authentication with an instant answer.
config base-server.conf
plugin multi-auth.so S1.1 0 foo bar
- Username/password
foo/bar: PASS - Anything else: FAIL
This is similar to sanity-1, but does the authentication
through two plug-ins providing an instant reply.
config base-server.conf
plugin multi-auth.so S2.1 0 foo bar
plugin multi-auth.so S2.2 0 foo bar
- Username/password
foo/bar: PASS - Anything else: FAIL
This is also similar to sanity-1, but uses deferred authentication
with a 1 second delay on the response.
plugin multi-auth.so S3.1 1000 foo bar
- Username/password
foo/bar: PASS - Anything else: FAIL
Runs two authentications, the first one deferred by 1 second and the second one providing an instant response.
plugin multi-auth.so A.1 1000 foo bar
plugin multi-auth.so A.2 0 foo bar
- Username/password
foo/bar: PASS - Anything else: FAIL
This is similar to case-a, but the instant authentication response
is provided first before the deferred authentication.
plugin multi-auth.so B.1 0 foo bar
plugin multi-auth.so B.2 1000 test pass
- Always FAIL
- This test should never pass, as each plug-in expects different usernames and passwords.
This is similar to the two prior tests, but the authentication result is returned instantly in both steps.
plugin multi-auth.so C.1 0 foo bar
plugin multi-auth.so C.2 0 foo2 bar2
- Always FAIL
- This test should never pass, as each plug-in expects different usernames and passwords.
This is similar to the case-b test, but the order of deferred
and instant response is reversed.
plugin ./multi-auth.so D.1 2000 test pass
plugin ./multi-auth.so D.2 0 foo bar
- Always FAIL
- This test should never pass, as each plug-in expects different usernames and passwords.
This test case will run two deferred authentication plug-ins. This is not supported by OpenVPN, and should therefore fail instantly.
plugin ./multi-auth.so E1 1000 test1 pass1
plugin ./multi-auth.so E2 2000 test2 pass2
- The OpenVPN server process should stop running
- An error about multiple deferred plug-ins being configured should be seen in the server log.