Skip to main content

Overview

OpenVPN servers use username and password authentication. When a user connects, the OpenVPN server calls back to StartMyVPN to verify the credentials in real time.

How authentication works

User connects with OpenVPN client


OpenVPN server sends auth request
to StartMyVPN via standalone script server


StartMyVPN verifies username + password
and checks if the user has an active service
with access to that server

     ┌─────┴─────┐
  Allowed      Denied
     │            │
  Connection   Connection
  accepted     rejected
The authentication endpoint is part of the standalone script server — a lightweight HTTP server running on the VPN server that handles auth callbacks securely.

Downloading OpenVPN config

Users download a .ovpn config file from their dashboard:
  • Web dashboard: /vpn/download/{server}
  • API: GET /v1/servers/{server}/openvpn
The config file contains:
  • Server IP and port
  • Protocol (UDP/TCP) and port
  • TLS/CA certificates
  • auth-user-pass directive (prompts for username/password on connect)

Connection logging

Every successful OpenVPN authentication is logged in the database with:
  • User ID
  • Server ID
  • Connection timestamp
  • Bytes received and transmitted
This data feeds the bandwidth usage tracking system.

Bandwidth enforcement

When a user attempts to connect and their bandwidth limit is exceeded (if the plan has a limit), the authentication request is rejected and the connection is denied.

Manual installation

If you’re adding an existing server manually, install OpenVPN using the bundled script: 
# On the VPN server
bash /path/to/openvpn-install.sh
The installation script handles:
  • OpenVPN installation
  • Certificate generation
  • auth-user-pass-verify hook pointing to StartMyVPN’s script server
  • Firewall rules

OpenVPN config stored

The openvpn_configs table stores one config record per server containing:
  • The client .ovpn template
  • CA certificate
  • Server certificate
  • TLS auth key