I just installed Core 169 to try out the new 2FA for OpenVPN. But it seems I’m stuck in how this all should work.
Actually I’m missing any URL or whatever in the client-config to get and display the token, all I found is the button in IPFire’s admin WUI?!
Maybe I’m wrong, but it feels to me that there’s something with “or” missing in this sentence:
“It can either be enforced on a per-client basis, preserving the flexibility of mixing end-user devices with machine clients, where no manual interaction is feasible during OpenVPN connection establishment.”
Thanks, but the page you posted is about “OpenVPN Access Server”, a commercial product that differs a lot from the community server and client.
Also, it does not cover how the mechanism shall work in IPfire.
apologies for these two issues in the testing announcement for Core Update 169.
The 2FA feature is documented here and here in the wiki; I just updated the blog post to reflect that information. Please let us know if anything is still missing or unclear though.
Thanks in advance for your testing efforts, and best regards,
Peter Müller
So, the QR-code is NOT the OTP but a link to set up a config in the OTP app, right?
If so, one has to give the users the client-package AND the QR-code, is that correct?
However, I’m still missing any settings about the OTP-provider on the server side. Where and how does it connect to check the supplied OTP?
I still draw a blank about it actually is supposed to work as a whole
not exactly. Since this is TOTP, the QR-code contains a secret (also called “seed” in this context) that has to be passed to the TOTP generator of the respective user. That generator will then derive TOTP tokens from this seed.
Yes, and both have to be kept confidential.
It does not, as the way TOTP is implemented here runs completely self-sufficient on both the server and the client side. So, there is no dependency on a 3rd party, e.g. an authentication provider.
Indeed. Will fix that later.
Hope to have clarified some bits and pieces. Let me know if I did not.
Yes, any application that can generate TOTP tokens is fine. The only constraint here is that it must not run on the same device that establishes the OpenVPN connection, since that would contradict the idea behind 2FA.
Also, for the record, 2FA is not a silver bullet. Should the end-user device be compromised, an attacker can just wait until the user has authenticated properly, and then start to conduct reconnaissance, lateral movement or whatever.
Just saying this for the sake of completeness, to prevent thoughts like “I have enabled 2FA, now I am completely safe” - from my experience, particularly C-level folks like to think that way.
I have just installed update 169 and enabled OTP for existing clients. However, when using OpenVPN, the clients don’t have a passcode prompt. I want to confirm: do you have to redistribute the client package for existing clients after enabling OTP? If so, IPFire should tell you that you need to do that since it’s not clear! It would be nice if it just worked once you’ve enabled OTP for a client in IPFire.
Update: When I enabled OTP for an iPad and restarted the OpenVPN server, OpenVPN couldn’t connect. There was a constant in progress indicator although IPFire said the ipad was connected. I didn’t re-distribute the client package. I disabled OTP for the iPad and it connected. I didn’t need to restart the OpenVPN server.
Yes you have to update the configs on your clients to include the new lines related to OTP otherwise the client does not know that OTP has been introduced.
You can either redistribute the client package or you can find the additional lines and add those to each of the clients.