I have configured OpenVPN with certificates and OTP successfully. I had to set “auth-user-pass” as suggested in this other thread, otherwise no UI is shown during the connection.
This is how the dialog looks like when starting the connection:
I want the users to enter a new OTP after a certain time. I have set “reneg-sec” in the server config accordingly, and to 0 in the client configuration. As expected, the connection is interrupted after the given time, but now comes the problem. It is not the initial OTP-dialog that shows up again, but the standard user/password one.
I poked around. As I found out, the logic is implemented in /var/ipfire/ovpn/openvpn-authenticator, but at this point, I cannot tell if the issue is in my configuration, or if the script does not handle my use case correctly.
Is anyone running this configuration, or has a hint for me?
from what I gathered from the other thread, you are running the standard OpenVPN client on Windows. Unfortunately, I do not have experience with that particular OpenVPN client software when it comes to OTP - on Linux clients, however, OpenVPN behaves properly when reauthenticating and asking for a new OTP.
Since IPFire’s OpenVPN server does not difference between client operating systems in that regard, I assume the problem is related to your OpenVPN client, rather than IPFire.
thank you for the response. I use indeed the OpenVPN Client (community, v2) on Windows. I will perform the same test with the Linux client and compare, that is a good tip. What would be the reference setup, e.g which client exactly is behaving correctly? If relevant, I can use any recommended distribution too.
looking at Release Notes for OpenVPN Connect on Windows, the latest release of OpenVPN Connect is 3.5.0 (relased on July 18), so as a good first step, ensuring that your system is running the latest version of the VPN client is probably a sensible thing to do. Perhaps whatever issue you are facing has already been fixed meanwhile, not to mention all the security-relevant bugs…
Could you just let me know the reference configuration where the OTP works as expected? I will set it up, whatever it is, and then try to pinpoint the issue.