Working OpenVPN Server Auth against IMAP

I modified the work of Skywalker13 of his IMAP LIBRARY WITH SHELL SCRIPTING

So now my OpenVPN Roadwarriors can Authenticate easily againts IMAP without using another User Password management.

Hope it will be usefull for somebody!

you will need OpenVPN and OpenSSL

opkg update && opkg install openssl-util openvpn-mbedtls

Config for the VPN /etc/config/openvpn

config openvpn 'RoeadWarrior'
        option dev 'tun'
        option float '1'
        option duplicate_cn '1'
        option mute_replay_warnings '1'
        option tls_server '1'
        option auth 'SHA256'
        option cipher 'AES-256-GCM'
        option mode 'server'
        option script_security '2'
        option reneg_sec '0'
        option persist_tun '1'
        option persist_key '1'
        option mute '20'
        option max_clients '30'
        option keepalive '10 20'
        option tls_auth '/etc/openvpn/tlscrypt.key'
        option auth_user_pass_verify '/etc/openvpn/ via-file'
        option ca '/etc/luci-uploads/'
        option dh '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.dh'
        option cert '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.cert'
        option key '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.key'
        option username_as_common_name '1'
        option verify_client_cert 'none'
        option auth_nocache '1'
        option user 'nobody'
        option group 'nogroup'
        option dev_type 'tun'
        option port '1194'
        option topology 'subnet'
        option verb '3'
        option enabled '1'
        option server ''
        option server_ipv6 'xxxx:xxxx:xxxx:xxxx::/64'
        list push 'redirect-gateway def1 bypass-dhcp'
        list push 'route-gateway'
        list push 'dhcp-option DNS'
        list push 'topology subnet'
        list push 'route-ipv6 2000::/3'
        list push 'dhcp-option DOMAIN Domain.tld'
        option proto 'tcp-server'

The Script /etc/openvpn/ (make it executable)

mail_server=**Put in your Imap Server here**
var=`cat $1`

function gala_imap_login()
  local user passwd
  [ -z "$user" ] && user=`echo $var | awk '{print $1}'`
  [ -z "$passwd" ] && passwd=`echo $var | awk '{print $2}'`
  rm -f  /tmp/$$.ncin /tmp/$$.ncout
  mkfifo /tmp/$$.ncin /tmp/$$.ncout
  exec 5<>/tmp/$$.ncin 6<>/tmp/$$.ncout

  openssl s_client -quiet -crlf -connect $mail_server:$mail_port 2>/dev/null <&5 >&6 &

  gala_imap_send "login" "$user" "$passwd"
  [ "$?" != 0 ] && return 1 || return 0

function gala_imap_send()
  local result line
  echo "A0 $@" >&5
  while read -t 20 result; do
    line="`echo "$result" | tr -d '\r'`"
    echo "$line" | grep "^A0 OK" >/dev/null && return 0
    echo "$line" | grep -E "^A0 BAD|^A0 NO" >/dev/null && return 1
  done <&6
  return 1

function gala_imap_logout()
  gala_imap_send "logout"

  rm -f  /tmp/$$.ncin /tmp/$$.ncout
  return 0

[ "$?" != 0 ] \
  && gala_imap_logout \
  && echo "NO" \
  && logger -t openvpn.auth "Auth for `echo $var | awk '{print $1}'` failed"\
  && exit 1 \
  || gala_imap_logout \
  &&  echo "OK" \
  && logger -t openvpn.auth "Auth for `echo $var | awk '{print $1}'` succeded" \
  && exit 0


VPN Config for the Client (modify verify-x509-name for your needs)

remote **VPN Remote IP**  1194
dev tun
proto tcp
user nobody
group nogroup
cipher AES-256-GCM
auth SHA256
resolv-retry infinite
verify-x509-name "C=DE, ST=, L=, O=, OU=, CN=, name=, emailAddress="
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Tested with OpenVPN Gui iOS + OpenVPN Gui Win 10

Might want to consider that the passing of plain-text credentials is, in and of itself, far from "best practices" these days. Further, passing them to a script exposes them to the proc filesystem and utilities like ps which, on most Linux-based distributions, exposes them to all users.