I modified the work of Skywalker13 of his IMAP LIBRARY WITH SHELL SCRIPTING
So now my OpenVPN Roadwarriors can Authenticate easily againts IMAP without using another User Password management.
Hope it will be usefull for somebody!
you will need OpenVPN and OpenSSL
opkg update && opkg install openssl-util openvpn-mbedtls
Config for the VPN /etc/config/openvpn
config openvpn 'RoeadWarrior'
option dev 'tun'
option float '1'
option duplicate_cn '1'
option mute_replay_warnings '1'
option tls_server '1'
option auth 'SHA256'
option cipher 'AES-256-GCM'
option mode 'server'
option script_security '2'
option reneg_sec '0'
option persist_tun '1'
option persist_key '1'
option mute '20'
option max_clients '30'
option keepalive '10 20'
option tls_auth '/etc/openvpn/tlscrypt.key'
option auth_user_pass_verify '/etc/openvpn/imapauth.sh via-file'
option ca '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.ca'
option dh '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.dh'
option cert '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.cert'
option key '/etc/luci-uploads/cbid.openvpn.RoeadWarrior.key'
option username_as_common_name '1'
option verify_client_cert 'none'
option auth_nocache '1'
option user 'nobody'
option group 'nogroup'
option dev_type 'tun'
option port '1194'
option topology 'subnet'
option verb '3'
option enabled '1'
option server '192.168.100.0 255.255.255.0'
option server_ipv6 'xxxx:xxxx:xxxx:xxxx::/64'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'route-gateway 192.168.100.1'
list push 'dhcp-option DNS 192.168.100.1'
list push 'topology subnet'
list push 'route-ipv6 2000::/3'
list push 'dhcp-option DOMAIN Domain.tld'
option proto 'tcp-server'
The Script /etc/openvpn/imapauth.sh (make it executable)
#!/bin/sh
mail_server=**Put in your Imap Server here**
mail_port=993
var=`cat $1`
function gala_imap_login()
{
local user passwd
user=$1
passwd=$2
[ -z "$user" ] && user=`echo $var | awk '{print $1}'`
[ -z "$passwd" ] && passwd=`echo $var | awk '{print $2}'`
rm -f /tmp/$$.ncin /tmp/$$.ncout
mkfifo /tmp/$$.ncin /tmp/$$.ncout
exec 5<>/tmp/$$.ncin 6<>/tmp/$$.ncout
openssl s_client -quiet -crlf -connect $mail_server:$mail_port 2>/dev/null <&5 >&6 &
gala_imap_send "login" "$user" "$passwd"
[ "$?" != 0 ] && return 1 || return 0
}
function gala_imap_send()
{
local result line
echo "A0 $@" >&5
while read -t 20 result; do
line="`echo "$result" | tr -d '\r'`"
echo "$line" | grep "^A0 OK" >/dev/null && return 0
echo "$line" | grep -E "^A0 BAD|^A0 NO" >/dev/null && return 1
done <&6
return 1
}
function gala_imap_logout()
{
gala_imap_send "logout"
rm -f /tmp/$$.ncin /tmp/$$.ncout
return 0
}
gala_imap_login
[ "$?" != 0 ] \
&& gala_imap_logout \
&& echo "NO" \
&& logger -t openvpn.auth "Auth for `echo $var | awk '{print $1}'` failed"\
&& exit 1 \
|| gala_imap_logout \
&& echo "OK" \
&& logger -t openvpn.auth "Auth for `echo $var | awk '{print $1}'` succeded" \
&& exit 0
gala_imap_logout
VPN Config for the Client (modify verify-x509-name for your needs)
client
remote **VPN Remote IP** 1194
dev tun
tun-ipv6
proto tcp
nobind
auth-nocache
user nobody
group nogroup
auth-user-pass
cipher AES-256-GCM
auth SHA256
pull
resolv-retry infinite
verify-x509-name "C=DE, ST=, L=, O=, OU=, CN=, name=, emailAddress="
persist-key
persist-tun
tls-client
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
Tested with OpenVPN Gui iOS + OpenVPN Gui Win 10