openvpn的client使用正确的用户名和密码后无法连接server的缘故

openvpn的client使用正确的用户名和密码后无法连接server的原因
openvpn除了证书的验证方式，还可以指定用户名和密码的验证方式
client端配置文件加入
auth-user-pass
连接时会弹出方框提示用户输入用户名和密码
server端配置文件加入
auth-user-pass-verify /tmp/openvpn/server/up.sh via-env
指定openvpn使用up.sh进行验证，通过环境变量将需要验证的用户名和密码传入
up.sh代码如下

#!/bin/sh   
###########################################################  
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se> 
#  
# This script will authenticate OpenVPN users against  
# a plain text file. The passfile should simply contain  
# one row per user with the username first followed by  
# one or more space(s) or tab(s) and then the password.  
 
PASSFILE="/tmp/openvpn/server/up.txt" 
LOG_FILE="/tmp/openvpn/openvpn-password.log" 
TIME_STAMP=`date "+%Y-%m-%d %T"`  
 
###########################################################  
 
if [ ! -r "${PASSFILE}" ]; then  
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}  
  exit 1  
fi  
 
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`  
 
if [ "${CORRECT_PASSWORD}" = "" ]; then   
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}  
  exit 1  
fi  
 
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then   
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}  
  exit 0  
fi  
 
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}  
exit 1 

PASSFILE指定保存用户名和密码的文件，格式是一对用户名和密码写在一行，中间使用空格分隔

今天在调试openvpn客户端使用用户名和密码登陆时，无法连接，查看服务端的log显示



原来是需要在server端配置文件加入--script-security 3，问题即可解决，查看了下这个选项
--script-security level:
Where level can be:
0 -- strictly no calling of external programs
1 -- (default) only call built-ins such as ifconfig
2 -- allow calling of built-ins and scripts
3 -- allow password to be passed to scripts via env