2FA with openVPN

Hello mates

I come here to talk about openVPN and 2FA, I spend sometime on it, need to share with you what I found and it is time to know if I go further or I let drop this topic :smiley:

First I hope that you know it is a commercial feature in many many projects and not free at all. Basically what I would like is to use the same key we store under the ~/.2fa.secret and propose to add the 2FA.

My concern now is that I never succeeded to make it workable with password+certificatess+otp_pin, my only success was certificates+otp_pin.
I have my mind split in two ways, first the password could be compromised, since we use ldap, if the password is compromised and the laptop is stolen, then the access is probably granted to the network. This is why I thought that maybe it could be yet a good enhancement to propose a new policy to openvpn certificates+otp, the computer/certs could be stolen, it is less risky.

If we want to go to password+certificates+otp then maybe I should test something like https://github.com/evgeny-gridasov/openvpn-otp but not really tested and I am not a big fan to use something not packaged in epel or in base.

It seems that google-authenticator could use the password+otp_pin but we did not use it in relation to some known vulnerabilities and now my main concern is that the key we use is not compatible (hex vs base32), so it will drive to use two keys :expressionless:

Actually we use pam_oath, this is what we use for sshd and cockpit, however I think we could implement it with pwauth (to protect website with otp)


You raise a very good issue which can be difficult to resolve.

Does the following articles help at all?

1 Like

the openvpn-otp is fun and could make some interesting things for a company, we could use a MFA (multi-factor-authentication), it means login+pin(know by the user)+otp_pin

# use totp-30-6 and sha1/hex for hardware based 30 seconds / 6 digits otp tokens + know pin (here 6543)
mike otp totp-30-6:sha1:hex:5c5a75a87ba1b48cb0b6adfd3b7a5a0e:6543:xxx *

Here the user must fill know_pin + otp_token on the same password input, the cons is that the know_pin is in clear in the text file, and when a user is not listed it is not allowed to connect to the openvpn server. It could be a problem if we set an otp policy which forces all users because people out of the office could not enable otp in their settings page.

Now I would like to use this plugin with openvpn-auth-ldap, it seems they can works together


This sounds like a great plan!

1 Like

Grrrrrrr google-authenticator allows the MFA out of the box, login+password+otp_Pin. You just need to pass the password+otp_pin in the same field

1 Like

For the non-coding people such as myself, what can we do to help get this to become a reality?

1 Like

Honestly it is not really a job for coder now , more sysadmin skills are needed, code is often the last skill needed and we are opensource, you have probably 2 millions of code examples to use :smiley:

I think I am close the idea now is to use google-authenticator, thank @bwdjames, with openvpn, it allows to use the same secret and multifactor (login+password+certs+otp).

Now what I am looking is to say to google-authenticator, please let a user without otp enabled connects to the openvpn server, but it seems that we have a bug with centos

However we could also say that OTP is for all users, create their otp by an event, send them the picture to scan by email, or simply ask them to come to the office and scan the QR code in the cockpit setting page today and tomorrow in the users page that the dev_ team is currently working.

Ah no worries, that was the first thing I thought of searching for in Google to see what would appear.
Glad it potentially has some uses and apologies I can’t help more of more help, head still spinning a bit with the change of working environment.

1 Like

not so happy to use a software called google :slight_smile:

but I get it workable without forcing everybody to otp for openvpn hourra

why does no one ever mention Microsft authenticator?

1 Like

It seems mostly it is the mobile application and not an authentication tool based on PAM (pluggable authentication module) as far I understood

It is coming :boom:


Something new to test for increasing the VPN security, we release a new VPN policy login+certificate+otp_Pin, This policy is forced to every users, so people before to go out of the company must install an OTP app (FreeOtp ?) and enable their OTP settings

Each user must create their otp settings
Each user must install the new client configuration (You have to set the login name)
The sysadmin enables the new policy in the R2W account

When the client connects to the VPN he gives the otp login he can read on his smartphone(only the OTP pin, never his password).

Please have a go