OpenVPN OTP Authentication

Hey Guys,

i was wondering if it is possible to use OTP (Google Authenticator etc.) as an additional authentication method for OpenVPN Roadwarrior connections. I had a look into the wiki but the Link β€œAuthentication methods” sends me to the proxy authentication configuration.

Thanks for your feedback :slight_smile:

Steffen

Currently that is not possible. Sorry.

Hi all,

you are right, there has been gone something wrong while converting the old wiki to the new, according to the authentication possibilities for OpenVPN, in here --> https://wiki.ipfire.org/configuration/services/openvpn/extensions/plugins/auth-pam you can find some infos to the auth-pam plugin.
In the already linked location, a LDAP wiki --> https://wiki.ipfire.org/configuration/services/openvpn/extensions/auth/ldap can also be found.

Will fix this in the next time.

According OTP, do you have a favourite ?

Best,

Erik

Hello Erik,
thank you for your feedback my favourite would be the Google Authenticator.
Thank you for the links i will have a look on.

Greetings

Steffen

Hi Steffen,
have build google-authenticator-1.02 now. A first try looks like this:

$ /usr/bin/google-authenticator -h
google-authenticator [<options>]
 -h, --help               Print this message
 -c, --counter-based      Set up counter-based (HOTP) verification
 -t, --time-based         Set up time-based (TOTP) verification
 -d, --disallow-reuse     Disallow reuse of previously used TOTP tokens
 -D, --allow-reuse        Allow reuse of previously used TOTP tokens
 -f, --force              Write file without first confirming with user
 -l, --label=<label>      Override the default label in "otpauth://" URL
 -i, --issuer=<issuer>    Override the default issuer in "otpauth://" URL
 -q, --quiet              Quiet mode
 -Q, --qr-mode={NONE,ANSI,UTF8}
 -r, --rate-limit=N       Limit logins to N per every M seconds
 -R, --rate-time=M        Limit logins to N per every M seconds
 -u, --no-rate-limit      Disable rate-limiting
 -s, --secret=<file>      Specify a non-standard file location
 -S, --step-size=S        Set interval between token refreshes
 -w, --window-size=W      Set window of concurrently valid codes
 -W, --minimal-window     Disable window of concurrently valid codes
$ /usr/bin/google-authenticator 

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@ipfire-server.local%3Fsecret%3D2IQEPLVMILXAEWJY6QOKIMYFZU%26issuer%3Dipfire-server.local
Your new secret key is: 2IQEPLVMILXAEWJY6QOKIMYFZU
Your verification code is 671951
Your emergency scratch codes are:
  21370559
  80397018
  84643833
  31637358
  36135594

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
$ cat /root/.google_authenticator 
2IQEPLVMILXAEWJY6QOKIMYFZU
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
21370559
80397018
84643833
31637358
36135594

which seems to be functional. If you want to give it a try, you can find the IPFire package in here --> https://people.ipfire.org/~ummeegge/google-authenticator/ .
Since i am currently no in this topic you may have some more infos on how to find a good setup for this.

EDIT: Have seen that libqrencode3 is also needed. Will build it but this take a little time.

Best,

Erik

1 Like

Wow awesome. I will have a try when libqrencode3 is build. Thank you very much for your work :slight_smile:

Hey Erik,
I just had a look in the package and i would need the libpam-google-authenticator for otp authentication. Would it be possible to build that?

Greetings

Steffen

Hi Steffen,
i think the name differs on distribution. In here --> https://github.com/google/google-authenticator-libpam/issues/116 e.g. the .so calls also β€˜pam_google_authenticator.so’ … Compiled it like described in here --> https://github.com/google/google-authenticator/wiki/PAM-Module-Instructions --> https://velenux.wordpress.com/2019/03/12/openvpn-with-google-2-factor-authentication-on-centos-7/ and get the .so in that name. If you have other building instructions/howtos just post them.
Have nevertheless found a newer version 1.08, thinking also about to add an own group/user for google-authenticator like in here --> https://medium.com/we-have-all-been-there/using-google-authenticator-mfa-with-openvpn-on-ubuntu-16-04-774e4acc2852 .

Some other ideas are:

A downside to the OTP authentication is what i have seen so far, the reneg-sec 3600 (rekeying) was mostly disabled.

Some beneath infos.

Best,

Erik

If you use the compiling instruction on github everything should be fine. I had a look on the medium how to as well. I think using the openvpn otp plugin could be a nice idea too.

google-authenticator-1.08 , openvpn-otp-1.0 and libqrencode-4.0.0 are now ready and can be found in here --> https://people.ipfire.org/~ummeegge/otp/ .

In- and unstallation can be made via the scripts in the package. Copy it to /opt/pakfire/tmp and execute them.

Made a faster test with google-authenticator only which looked OK on the first view but there seems a problem with the PAM modul.

First Steps:

  • Created a user with own directory under home.
  • su ed into it and did execute
bash-4.3$ google-authenticator -C -t -f -D -r 3 -Q UTF8 -R 30 -w3 -s /home/testotp/google-authenticator/testotp

which results in

Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/testotp@ipfire-janeisklar.local%3Fsecret%3DD7MJSHIK3OWMT27X2APJAR3RUU%26issuer%3Dipfire-janeisklar.local
                                             
  β–ˆβ–€β–€β–€β–€β–€β–ˆ β–ˆβ–„β–„β–€β–€  β–€β–„ β–€β–„β–€β–„β–„β–€ β–ˆ  β–€ β–ˆβ–ˆ  β–ˆβ–€β–€β–€β–€β–€β–ˆ  
  β–ˆ β–ˆβ–ˆβ–ˆ β–ˆ β–€β–ˆβ–„ β–ˆβ–„β–„β–€  β–ˆβ–€β–€β–ˆβ–€ β–ˆβ–ˆβ–€β–ˆβ–ˆβ–„  β–ˆ β–ˆ β–ˆβ–ˆβ–ˆ β–ˆ  
  β–ˆ β–€β–€β–€ β–ˆ β–€β–€β–ˆβ–ˆβ–„β–ˆ β–„ β–ˆβ–ˆβ–€β–€β–€ β–„    β–€  β–€  β–ˆ β–€β–€β–€ β–ˆ  
  β–€β–€β–€β–€β–€β–€β–€ β–€ β–ˆ β–€ β–€β–„β–€ β–ˆβ–„β–€ β–ˆβ–„β–ˆβ–„β–ˆβ–„β–ˆ β–€ β–€ β–€β–€β–€β–€β–€β–€β–€  
  β–€β–„β–„β–ˆβ–€β–€β–€β–ˆβ–€β–„β–„  β–€β–„ β–„β–ˆβ–„β–€  β–„β–„β–€ β–„β–„ β–€β–ˆβ–ˆβ–„β–€β–„β–„β–ˆβ–„β–€β–ˆβ–€  
   β–ˆ β–„β–€β–„β–€ β–„β–„ β–ˆ β–ˆβ–€ β–€β–ˆ  β–„β–€β–€β–ˆ β–€β–ˆβ–€ β–ˆ β–„β–€β–„β–ˆ  β–ˆ β–„   
  β–„β–€β–„β–„β–ˆβ–ˆβ–€β–ˆβ–ˆβ–€ β–€β–„β–€β–„β–ˆβ–„β–€β–„β–€β–€  β–„β–ˆβ–„β–„β–ˆβ–ˆβ–„  β–€ β–ˆβ–„β–„β–„ β–€β–€  
  β–ˆβ–„β–ˆ  β–„β–€β–„β–ˆβ–€β–ˆβ–€β–€β–„  β–„β–€β–„β–€β–ˆ β–ˆβ–„β–ˆ β–„β–ˆβ–„  β–ˆ β–„β–ˆβ–ˆβ–€β–„β–„β–„β–ˆ  
  β–ˆβ–„β–ˆβ–€β–€ β–€β–ˆβ–„β–ˆ β–ˆβ–„β–ˆβ–€β–ˆ  β–„ β–„β–„ β–ˆβ–€  β–€β–€β–ˆ  β–„β–„  β–„β–€β–„ β–€  
   β–„ β–€ β–ˆβ–€   β–ˆ β–ˆβ–ˆβ–„β–€β–ˆβ–„β–„β–ˆ β–€ β–ˆβ–ˆβ–„β–ˆβ–ˆβ–„ β–ˆβ–€ β–ˆβ–ˆ β–ˆβ–€β–„ β–ˆ  
  β–„ β–€β–„β–ˆ β–€β–ˆ β–„β–€ β–„ β–€ β–ˆβ–„β–„β–ˆβ–€ β–„β–ˆ β–„β–€β–ˆβ–€β–ˆβ–„β–„β–€ β–€β–€β–„β–„β–„ β–€  
   β–ˆ  β–„β–€β–€β–€ β–„β–ˆβ–ˆβ–ˆ β–ˆβ–€β–€β–ˆβ–€ β–„β–€β–€β–€ β–€β–„β–€ β–„ β–„β–€ β–€β–ˆβ–„β–ˆβ–€ β–„  
  β–€β–ˆβ–„β–„β–„β–„β–€ β–„β–€β–„   β–ˆ β–„  β–€β–€  β–„β–€β–„ β–„β–„  β–€β–„β–ˆβ–ˆβ–ˆβ–ˆβ–€β–„β–ˆβ–„  
   β–„ β–€β–„β–„β–€ β–€ β–ˆ β–„β–„ β–€β–ˆ β–„β–ˆβ–€ β–€  β–€ β–ˆ β–€β–ˆβ–„β–ˆβ–„β–€β–„β–ˆβ–„β–„β–€  
  β–ˆ β–€  β–€β–€β–ˆβ–€β–€ β–„β–ˆβ–„β–€β–„  β–€β–„β–ˆ β–€  β–€ β–„β–€β–„β–ˆβ–ˆβ–ˆβ–„ β–ˆβ–„β–€ β–€β–„  
  β–ˆβ–ˆ  β–ˆβ–„β–€β–ˆβ–„β–€β–„ β–ˆβ–ˆ β–€β–€β–€β–€β–„ β–ˆβ–€ β–ˆβ–€β–€β–„β–€β–„β–ˆβ–ˆ β–€β–„β–ˆβ–€β–„β–„β–ˆ  
  β–€β–€ β–€ β–€β–€β–€β–ˆβ–„β–€ β–€β–ˆβ–ˆ β–€β–€ β–€β–€β–ˆ  β–€β–€β–€β–„β–„β–€β–€β–€β–ˆβ–€β–€β–€β–ˆβ–€β–ˆ β–€  
  β–ˆβ–€β–€β–€β–€β–ˆ β–ˆβ–ˆβ–€β–„β–€β–„β–ˆβ–€ β–ˆβ–€β–„β–€ β–€β–ˆβ–ˆβ–€ β–ˆβ–„β–ˆ β–„β–ˆ β–€ β–ˆβ–ˆ  β–„  
  β–ˆ β–ˆβ–ˆβ–ˆ β–ˆ β–ˆβ–ˆβ–ˆβ–€β–„β–„β–„β–ˆβ–„β–ˆβ–€β–€β–€  β–ˆβ–„β–„β–„β–ˆβ–ˆ β–ˆβ–€β–€β–ˆβ–€β–€β–€β–€β–ˆβ–€β–ˆ  
  β–ˆ β–€β–€β–€ β–ˆ   β–ˆβ–€ β–„  β–„β–€ β–ˆβ–„   β–€β–€β–€β–ˆβ–€ β–„β–ˆ β–ˆβ–„β–€β–ˆβ–„β–„ β–ˆ  
  β–€β–€β–€β–€β–€β–€β–€ β–€β–€β–€β–€     β–€  β–€ β–€ β–€β–€     β–€β–€  β–€β–€β–€     
                                             
Your new secret key is: SGHJSCON3OSHJ27X2APJAR3RUU
Your verification code for code 1 is 047584
Your emergency scratch codes are:
  27565487
  82723306
  34445652
  48456451
  54560420

checked bar code with an iPhone and google authenticator from app store which worked.

  • Added new PAM profile called β€˜openvpn’ with the following content
auth required           /usr/lib/security/pam_google_authenticator.so secret=/home/testotp/google-authenticator/testotp forward_pass debug
  • Used β€œAdditional configuration” for server and client configuration on OpenVPN with
# Google authenticator
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

for server.conf.local and

# Google-authenticator
# use username/password authentication
auth-user-pass
# do not cache auth info
auth-nocache

for client.conf.local

But stucked at:

Mar  9 10:12:12 ipfire openvpn[17716]: PAM _pam_init_handlers: no default config other
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: start of google_authenticator for "testotp"
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: Secret file permissions are 0600. Allowed permissions are 0600
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: "/home/testotp/google-authenticator/testotp" read
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: shared secret in "/home/testotp/google-authenticator/testotp" processed
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: google_authenticator for host "(null)"
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: no scratch code used from "/home/testotp/google-authenticator/testotp"
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: Accepted google_authenticator for testotp
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: "/home/testotp/google-authenticator/testotp" written
Mar  9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: end of google_authenticator for "testotp". Result: Success
Mar  9 10:12:12 ipfire openvpn[17716]: PAM no modules loaded for 'openvpn' service
Mar  9 10:12:12 ipfire openvpnserver[17715]: 192.168.90.4:40087 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mar  9 10:12:12 ipfire openvpnserver[17715]: 192.168.90.4:40087 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
Mar  9 10:12:12 ipfire openvpnserver[17715]: 192.168.90.4:40087 TLS Auth Error: Auth Username/Password verification failed for peer

Am currently a little short in time. May you find some more out.

Best,

Erik

1 Like

Yes sure i will have a look thanks for your work :smiley:

Hey Erik,

after some hours I got it to work. I configured the OpenVPN-Server to use TOTP in connection with username/password autentication using pam_unix.so

I first configured the OpenVPN-Server to use authentication via username/password using this how-to: https://wiki.ipfire.org/configuration/services/openvpn/extensions/plugins/auth-pam

After that was working i started to integrate OTP authentication.

I created a folder where the secret files of the users should be stored and created a user for creating the software tokens:

addgroup gauth
useradd -g gauth gauth
mkdir /var/ipfire/ovpn/google-authenticator
chown gauth:gauth /var/ipfire/ovpn/google-authenticator
chmod 0700 /var/ipfire/ovpn/google-authenticator

I customized the /etc/pam.d/openvpn :

#Google Authenticator
auth    requisite       /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/google-authenticator/${USER} user=gauth forward_pass debug

#Username/Password authentication
auth    required        pam_unix.so use_first_pass
account required        pam_unix.so

This is what my server.conf.local looks like:
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn

Here are my entrys in client.conf.local:

#Username - Password Authentication
auth-user-pass

#Do not cache auth info
auth-nocache

For creating new users more convenient I use the following shellscript:
#!/bin/bash

#variables

#MFA Label
MFA_LABEL='Testcorp OpenVPN-Server'

#MFA User
MFA_USER=gauth

#Directory for Secretfiles
MFA_DIR=/var/ipfire/ovpn/google-authenticator


##########################################################################
echo -en "Please enter new username:"
read user_id

if [ "$user_id" = "" ]; then
	echo "ERROR: No username specified"
	exit 1
fi

echo "Creating account ${user_id}"
useradd -s /bin/false "$user_id"

echo "Please enter password for new user"
passwd "$user_id"

echo "Creating MFA token"
su -c "google-authenticator -t -C -d -r3 -R30 -f -l \"${MFA_LABEL}\" -s $MFA_DIR/${user_id}" - $MFA_USER | tee $MFA_DIR/otp-config/$user_id

For logging in using the OpenVPN client i created roadwarrior connection for each user over the WUI
and did the import on the client machine. The credentials you have to type in when connecting are the following:

username : USER_ID
password: password+otp-token (for example: password934741)

Hope I didn’t miss something. I hope the packages could find a way into the pakfire repo :slight_smile:

Greetings

Steffen

1 Like

Great work Steffen! Will give it a try may in the evening.
Have had the user/group/dir and permissions block also in the install.sh of google-authenticator. Am thinking about to reintegrate it or should we keep it simple ?
Do you think we can bring other additionals to the package ?
May the PAM config might be nice ?
Should we rework the script a little to integrate it also into the package ?

Best,

Erik

Hey Erik,

I think it would be useful to integrate it into the install script to keep it simple for the user. I would also integrate the pam profile and the outputfolders /var/ipfire/ovpn/google-authenticator (for the secret files) and /var/ipfire/ovpn/google-authenticator/otp-config (for the setup and recovery information for each token) and the needed permissions.

Greetings

Steffen

Hi Steffen,
did test it and what should i say, i works :slightly_smiling_face:

Mar 11 14:53:00 ipfire openvpn[5654]: PAM _pam_init_handlers: no default config other
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: start of google_authenticator for "ummeegge"
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge" read
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: shared secret in "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge" processed
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: google_authenticator for host "(null)"
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: no scratch code used from "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge"
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: Accepted google_authenticator for ummeegge
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge" written
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: end of google_authenticator for "ummeegge". Result: Success
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 TLS: Username/Password authentication succeeded for username 'ummeegge' 
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 [otptest] Peer Connection Initiated with [AF_INET]192.168.123.4:41732
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 OPTIONS IMPORT: reading client specific options from: /var/ipfire/ovpn/ccd/otptest
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 MULTI_sva: pool returned IPv4=10.63.16.14, IPv6=(Not enabled)
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 MULTI: Learn: 10.63.16.14 -> otptest/192.168.123.4:41732
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 MULTI: primary virtual IP for otptest/192.168.123.4:41732: 10.63.16.14
Mar 11 14:53:01 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 14:53:01 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 SENT CONTROL [otptest]: 'PUSH_REPLY,route 10.63.16.1,topology net30,ping 10,ping-restart 60,redirect-gateway,route 192.168.234.0 255.255.255.0,dhcp-option DNS 192.168.123.222,dhcp-option DNS 8.8.4.4,ifconfig 10.63.16.14 10.63.16.13,peer-id 0' (status=1)

. Needed to modify the script a little in this line β€˜$MFA_DIR/otp-config/$user_id’ since β€˜otp-config’ is not there and are not created via google-authenticator.
Another one is, the barcode comes not up with the script via terminal…

Have extend the script a little but also the package but am stalled currently since there is a discussion if not signed packages should be provided in here in general.

Either way good work !

Best,

Erik

Hey Erik,

I’m happy that it works for you too. Yes the folder /var/ipfire/ovpn/google-authenticator and /var/ipfire/ovpn/google-authenticator/otp-config were created manually because i wanted an output directory for the secret files an the otp-config files. The directories can be created during installation. The barcode is a picture so if you redirect the output into a file the barcode is not there. But with the URL you can show the barcode.

Greetings

Steffen

Hi all,
made now an package update which includes also an extended script which can be found in here --> https://gitlab.com/ummeegge/google-authenticator-openvpn/-/blob/master/build_files/CONF/google-auth-openvpn/google-auth-adduser .
Script includes now:

  • Add new user
  • Display QR-Code or secret for already existing users
  • Delete existing user
  • List all users
  • Modify OpenVPN server and client config

Script can surely be extended and can surely even be made better but for the first this is how it goes.

  • The PAM profile is also included in the package.
  • A new directory under /var/ipfire/ovpn/accounting/google-authenticator will be created which is the home for all new OTP-OpenVPN users.

Packages are now here --> https://people.ipfire.org/~ummeegge/google-authenticator-openvpn/ located.

All build files can be found in here --> https://gitlab.com/ummeegge/google-authenticator-openvpn for those of you who want to build in their environment. Since the uninstall.sh scripts do not use Pakfire but uninstalls the files too, it is currently not on IPFire Git.

Best,

Erik

1 Like

I find it a very, very interesting functionality. Have you thought about creating an addon and implementing it in the list of installable addons?

It would be a very good feature.

Hi Roberto,
thanks for you positive feedback. Am currently thinking about how it could looks like.
If a OTP functionality comes to IPFire, more then one application like OpenVPN can participate from this (SSH e.g. what else ?) which brings this topic then to a new level (can hear the whispering of a new CGI in the leaves :grimacing: ) but in this current state here i wanted to find a proper way with OpenVPN, may we can also participate of this work here even it would come as a generalized Addon (no script, no PAM config).

I ask myself also:

There are several questions from my side, do someone else have some too ?

Best,

Erik

I’d like to see two factor authorization (2FA) with Authy. Is that possible?