I've been using Shibby's build of Tomato (64k NVRAM version) on my Asus N66U router in order to run an OpenVPN server.

I'm curious whether it's possible to setup this OpenVPN server to require both a certificate AND a username/password before a user is allowed access.

I noticed there's a "challenge password" entry when filling out the certificate details, but everyone says to leave it blank "or else"; I have no idea why, and I can't find an explanation. In addition, I've Google'd this issue a bunch and have noticed people talking about a PAM module for OpenVPN in order to authenticate via username/password, but that appeared to be an either/or option; in other words, I can force authentication via username/password OR certificate. I want to require both.

Is this possible? If so, how?

  • 237
  • 1
  • 6
  • 12

3 Answers3


The OpenVPN feature you're looking for, which will allow the server to authenticate clients based on both their certificate and a credential, is auth-user-pass-verify. This feature allows the server to pass the username/password provided by the remote user to a script that performs the authentication. At that point you can validate the credentials against anything you want-- PAM, RADIUS, LDAP, smoke signals, etc.

I know nothing about the "Tomato" firmwares so I'm not even going to attempt to give you a step-by-step here. I did some quick searching and I suspect you could use the OpenVPN "Custom Configuration" option to include a auth-user-pass-verify reference. You'll need a script to perform the authentication.

Do some searching and I suspect you'll find "Tomato"-specific references.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328

auth-user-pass-verify is the right thing todo. In addition you can force auth-user username has to be the certified CN you can also force openvpn to make only one connection each cert at a time.

That way an "mimic" has to have the right user compared to the certc CN and the right pass and he has to logon at a time the real owner doenst

In addition you may think about an IDS, depending which one you choose you can even narrow it down there like allowed external ip ranges, logon times and so on.

Any exposed cert should be revoked immediately. The signing server should be off net - transfer key by usb - then you have a real tight secure access.

and no you should not password a cert.

  1. Easy to bruteforce.
  2. You cannot lock an user (cert pass is offline only).
  3. People loose their passwords all the time forcing you to revoke and recreate a cert everytime - big risk of having a lot of certs out there where you maybe sometimes forget the revoke.

But if you really want you can use auth-user and cert password same time there will be no fallback or something.

First openvpn will use the cert password to decrypt the private key to establish a connection - then auth-user kicks in serversidly - if credentials are wrong you're out.

However if an attacker get the regular credentials you're already in trouble and chances are high he got the cert password too.

So I don't see real benefit here just a lot of downsides and a wrong feeling of more security.

  • 131,083
  • 18
  • 173
  • 296
  • 31
  • 1

I followed this tutorial (with TomatoUSB Shibby 1.28 on my Asus N66U): http://www.dd-wrt.com/wiki/index.php/OpenVPN This may help you a lot.

  • 1
  • 2
    AndyZ - welcome to SF, but we like answers here to contain more substance than just a link (which can rot with age). If you can overhaul this answer to contain the important bits of the method you've followed as well as the link to the article, it could be a really good answer. – MadHatter Jan 17 '14 at 20:25