Core 169 - 2FA for OpenVPN - how to?

I just installed Core 169 to try out the new 2FA for OpenVPN. But it seems I’m stuck in how this all should work.
Actually I’m missing any URL or whatever in the client-config to get and display the token, all I found is the button in IPFire’s admin WUI?!
Maybe I’m wrong, but it feels to me that there’s something with “or” missing in this sentence:

“It can either be enforced on a per-client basis, preserving the flexibility of mixing end-user devices with machine clients, where no manual interaction is feasible during OpenVPN connection establishment.”

So, how shall this work?
TIA!

1 Like

edit: Mistaken link removed.

@chrisk1 Sorry, I was using a smartphone that day and pasted the wrong link. :blush:

Regards

Thanks, but the page you posted is about “OpenVPN Access Server”, a commercial product that differs a lot from the community server and client.
Also, it does not cover how the mechanism shall work in IPfire.

Hi,

apologies for these two issues in the testing announcement for Core Update 169.

The 2FA feature is documented here and here in the wiki; I just updated the blog post to reflect that information. Please let us know if anything is still missing or unclear though.

Thanks in advance for your testing efforts, and best regards,
Peter Müller

3 Likes

Thanks Peter!

So, the QR-code is NOT the OTP but a link to set up a config in the OTP app, right?
If so, one has to give the users the client-package AND the QR-code, is that correct?

However, I’m still missing any settings about the OTP-provider on the server side. Where and how does it connect to check the supplied OTP?

I still draw a blank about it actually is supposed to work as a whole :confused:

BTW: There seems to be no link to this page from the parent page: wiki.ipfire.org - Multi-factor authentication (2FA)

1 Like

Hi,

not exactly. Since this is TOTP, the QR-code contains a secret (also called “seed” in this context) that has to be passed to the TOTP generator of the respective user. That generator will then derive TOTP tokens from this seed.

Yes, and both have to be kept confidential.

It does not, as the way TOTP is implemented here runs completely self-sufficient on both the server and the client side. So, there is no dependency on a 3rd party, e.g. an authentication provider.

Indeed. Will fix that later.

Hope to have clarified some bits and pieces. Let me know if I did not. :slight_smile:

Thanks, and best regards,
Peter Müller

3 Likes

Hi Peter,

cool, thanks again! I’ll test it and report back how it worked out. :slight_smile:

BTW: MS-Authenticator App also seems to work:

1 Like

Hi,

glad to hear this is working fine.

Yes, any application that can generate TOTP tokens is fine. The only constraint here is that it must not run on the same device that establishes the OpenVPN connection, since that would contradict the idea behind 2FA. :slight_smile:

Also, for the record, 2FA is not a silver bullet. Should the end-user device be compromised, an attacker can just wait until the user has authenticated properly, and then start to conduct reconnaissance, lateral movement or whatever.

Just saying this for the sake of completeness, to prevent thoughts like “I have enabled 2FA, now I am completely safe” - from my experience, particularly C-level folks like to think that way. :smiley:

Thanks, and best regards,
Peter Müller

3 Likes

Edit:

First tests on a VM
andOTP and Authy on Android,
Authy on Windows 10 64bit
Looks like they are working.

Edit:

Tests with Bitwarden - OK too

obraz

3 Likes

To all -

Note from andOTP developer:

Hello everyone,

I have a difficult announcement to make: I am going to stop maintaining andOTP and working on the rewrite for the time being.

As you probably have noticed, andOTP hasn’t been updated for about a year now.

1 Like

Ok, then I suggest remove andOTP from IPFire Wiki pages.

Edit:

I have deleted the entry about andOTP on the IPFire WIKI page.

1 Like

2FA tested with CU169 next/8000bc0a and works fine. I used as Authenticator App Microsoft Authenticator, Google Authenticator and OneTouch.

A post was split to a new topic: OpenVPN keepalive parameter in configuration

I have just installed update 169 and enabled OTP for existing clients. However, when using OpenVPN, the clients don’t have a passcode prompt. I want to confirm: do you have to redistribute the client package for existing clients after enabling OTP? If so, IPFire should tell you that you need to do that since it’s not clear! It would be nice if it just worked once you’ve enabled OTP for a client in IPFire.

Update: When I enabled OTP for an iPad and restarted the OpenVPN server, OpenVPN couldn’t connect. There was a constant in progress indicator although IPFire said the ipad was connected. I didn’t re-distribute the client package. I disabled OTP for the iPad and it connected. I didn’t need to restart the OpenVPN server.

Yes you have to update the configs on your clients to include the new lines related to OTP otherwise the client does not know that OTP has been introduced.

You can either redistribute the client package or you can find the additional lines and add those to each of the clients.

4 Likes