CU 171 with TOTP

Here’s what I learned when I migrated my company’s Road Warriors using OpenVPN on IpFire CU168 to OpenVPN with TOTP on CU171.

  • If users were running OpenVPN client version earlier than Community 2.5.7, released May 31, 2022, they received the error message, “Connecting to management interface failed…”

  • If users were running OpenVPN the latest client version, Community 2.5.8, released November 2, 2022, the log shows, “Sending PUSH_REQUEST to server…” and there is no handshake/connection completed.

  • Users running OpenVPN client version, Community 2.5.7, released May 31, 2022, are able to connect using their TOTP code.

FYI, here’s a sanitized version the OpenVPN client conf. file we are using. The server conf. file is the IPFire default.

#OpenVPN Client conf
dev tun
proto udp
remote 555.555.5.111 1194
pkcs12 jqpublic.p12
cipher AES-256-CBC
auth SHA256
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name name
auth-token-user USER
auth-token TOTP
auth-retry interact

# Start of custom directives
# from client.conf.local

sndbuf 0
rcvbuf 0
reneg-sec 0

# End of custom directives

I ran into the same issue (see my mislead bug report below), but I didn’t realize until your post that it was an issue with the client.

I have a work-around, but it only seems to help with the Community Edition on Windows. If you add these two directives to your ovpn file, it should force the prompt for the OTP code.

static-challenge "Enter your OTP" 0