I updated to 169 today and enabled 2FA for my existing openvpn profile. The profile shows 2FA is enabled and provides a QR code to scan. Before going any further I connected the profile from my Pixel 6, Fedora Linux laptop and Linux Mint laptop without any 2FA challenge. Restarted the openvpn server but still able to connect without using any code.
I assume you have updated with the new config on your client (to include the new lines related to OTP) ?
I have tested this with a new profile and it would appear to work , one point of note on my limited testing , During the usual connection process ( Windows openvpn gui) it asks for the private key ( the usual regular VPN password) to initiate the openvpn gui connection.
It does its usual connection , then it asks again for the private key password, finally it asks for the OTP ( one time password ) that must be supplied from the google authenticator (or similar) having added the profile by scanning the QR code.
I did update the profile on one device with new otp required profile. The connection still succeeded with no otp challenge. The ovpn server should not allow the connection to succeed without the challenge. It may work on Windows ovpn but this then is a placebo and not a real security feature. The mere fact that the config added a new line means this requirement has been placed on the client and not the server. This means this “requirement” can be ignored completely and still connect to the server.
I’ve found this often when it comes to some so called security measures. One example is a Windows RD gateway server. Clients are “required” an SSL certificate be installed in the local certificate store. A Windows computer will refuse to connect without it. Linux though will connect to remote sessions completely ignoring the requirement. Placebo, not real security.
I stopped the VPN server and redistributed the OTP enabled profile across the same three devices mentioned previously. Fired up the VPN server and successfully connected all three devices with no challenge.
Same here. No challenge on new or existing Profiles.
This does not work. 2FA needs to be rebuilt using server side challenge, not client.
Hello @all,
exactly the same problem here. I can’t get 2FA working as described by DisturbedDragon.
I deleted the profile, created a new one with “Enable OTP” checked, downloaded client package. On my Linux Mint I deleted the profile, create new one with new client package. Installed FreeOTP+ on my android and scanned the QR-code. Connection established without any 2FA.
Is there any news on this issue?
Stop and start OpenVPN Server on ipfire to reload the config. Then it works like expected.
Did that several times, doesn’t work. Issue is not the service but how the whole thing is set up.
Hm, I’m still not able to get it working.
From https://blog.ipfire.org/ :
“When you now try to establish the VPN connection, you will be asked for your the number that the app is showing you.”
→ who will ask me?
On Android I use OpenVPN for Android from F-Droid. Should this App ask me? On my Linux MInt I use integrated VPN Connector. Also there’s no request coming for a 2FA PIN.
OpenVPN Log while OTP turned on: "TLS: Username/Password authentication deferred for username ‘’ "