Hi, On Mon, Nov 20, 2023 at 10:08:46AM +1300, Richard Hector wrote: > I've been experimenting with 2FA - with IPFire as the server, but I don't > think that's relevant to my question. > > My understanding is that OpenVPN renegotiates keys every few minutes. It > appears that when this happens, I also need to enter a new token.
60 minutes, but generally, yes.
> If that's
> true, it makes using 2FA rather impractical, or at least irritating.
>
> Have I understood this correctly? Or am I missing something?
--auth-gen-token <timer args>
on the server side.
This will make the server generate an openvpn-internal auth-token
(= password replacement) that the client will send on the next key
renegotiation. For the configured lifetime, this will make the server
happy, and not ask for 2FA.
When the configured token lifetime expires, the client will ask the
user again.
Using this with our 2FA clients since the early 2.5.x times with good
success - early clients had confusion in some combinations with
--auth-nocache, but I think we found and fixed everything for 2.5.0
(and now we're at 2.6.8).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
