I come here to talk about openVPN and 2FA, I spend sometime on it, need to share with you what I found and it is time to know if I go further or I let drop this topic
First I hope that you know it is a commercial feature in many many projects and not free at all. Basically what I would like is to use the same key we store under the
~/.2fa.secret and propose to add the 2FA.
My concern now is that I never succeeded to make it workable with
password+certificatess+otp_pin, my only success was
I have my mind split in two ways, first the password could be compromised, since we use ldap, if the password is compromised and the laptop is stolen, then the access is probably granted to the network. This is why I thought that maybe it could be yet a good enhancement to propose a new policy to openvpn
certificates+otp, the computer/certs could be stolen, it is less risky.
If we want to go to password+certificates+otp then maybe I should test something like https://github.com/evgeny-gridasov/openvpn-otp but not really tested and I am not a big fan to use something not packaged in epel or in base.
It seems that google-authenticator could use the password+otp_pin but we did not use it in relation to some known vulnerabilities and now my main concern is that the key we use is not compatible (hex vs base32), so it will drive to use two keys
Actually we use pam_oath, this is what we use for sshd and cockpit, however I think we could implement it with pwauth (to protect website with otp)