Have you guys have an idea is it possible to configure OpenVPN with pam_google_authenticator.so with no need to authenticate using username/password but only cert + TOTP? I don't want to create a new unix user for every new VPN client.
I cannot find any flag on client side configuration (ovpn file) that can enable it (https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html)
UPDATE:
on server-side I tried with:
/etc/openvpn/server.conf
auth-user-pass-optional
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
/etc/pam.d/openvpn
auth required pam_google_authenticator.so
But still in openvpn log I see:
PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
TLS Auth Error: Auth Username/Password verification failed for peer