Hi On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson <j.m.patter...@gmail.com> wrote: > > What you're looking for is the openvpn challenge/response protocol, > which can be used when authentication is done via the management > interface. > > https://openvpn.net/community-resources/management-interface/ > describes it a bit. > > I know that the MFA portion of the management interface system I wrote > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP > tokens via static challenge (which is where you put the > "static-challenge" directive in the client config) as well as > concatenating them with the password. > > Unfortunately, as far as I can tell, static and dynamic > challenge-response isn't available if you're using a plugin or script > for authentication. So if you're ready to take the plunge into using > the management interface, you can do it. Otherwise, you're stuck with > concatenating the OTP token to the password.
Static challenge can be used with plugins and scripts on the server -- management-auth not required. Here is a pared down example of what I use: Add to client config *static-challenge "OTP " 1* This causes the openvpn client (or its UI/GUI) to prompt separately for username, password and OTP . The prompt text for the latter is taken from the first argument to static-challenge. The second arg (1 above) controls echo-ing of the pin. See the man page of openvpn for details. This prompt is also supported by OpenVPN-GUI on windows and, I think, by tunnelblick, viscosity and probably others. On the server, details vary depending on the need and verification mechanism used. I use PAM for which one adds to the server config: *plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:USERNAME Password: PASSWORD Verification OTP"* (See README.auth-pam distributed with OpenVPN for how to format the above line to match your pam setup). And have a pam config /etc/pam.d/openvpn with, say, *@include common-authaccount required pam_access.so@include common-account@include common-password@include common-session* where common-auth has *auth required pam_google_authenticator.so* among other modules. There are so many ways of setting up PAM depending on how the user is authenticated (unix user db, ldap, Active Directory, ...), what kind of OTP is in use etc. The above is only meant to describe the essentials. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
