From b2ab015d5f7b81de4b7a0c086dda41c92809e5db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Evaldas=20Mala=C5=BEinskas?=
 <evaldas.malazinskas@hyperops.net>
Date: Tue, 7 May 2019 14:34:18 +0300
Subject: [PATCH] add option to check certificates with pam also

---
 defaults/main.yml        | 3 +++
 templates/server.conf.j2 | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 0fb7f21..b00e4da 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -78,6 +78,9 @@ openvpn_clients:
 # Revoke clients certificates
 openvpn_clients_revoke: []
 
+# Set to true to enable checking client certificates even with pam authentication (disabled for pan authentication by default by default)
+openvpn_client_cert_required: false
+
 # Use PAM authentication
 openvpn_use_pam: true
 openvpn_use_pam_users: []
diff --git a/templates/server.conf.j2 b/templates/server.conf.j2
index 16d44fa..90fe37e 100644
--- a/templates/server.conf.j2
+++ b/templates/server.conf.j2
@@ -159,8 +159,11 @@ group nogroup
 client-to-client
 {% endif %}
 
-{% if openvpn_use_pam %}
+{% if openvpn_use_pam and not openvpn_client_cert_required %}
 client-cert-not-required
+{% endif %}
+
+{% if openvpn_use_pam %}
 plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn
 {% endif %}