OpenVPN with cert+OTP

Hi everyone,

I have configured OpenVPN with certificates and OTP successfully. I had to set “auth-user-pass” as suggested in this other thread, otherwise no UI is shown during the connection.

This is how the dialog looks like when starting the connection:

pic1

I want the users to enter a new OTP after a certain time. I have set “reneg-sec” in the server config accordingly, and to 0 in the client configuration. As expected, the connection is interrupted after the given time, but now comes the problem. It is not the initial OTP-dialog that shows up again, but the standard user/password one.

I poked around. As I found out, the logic is implemented in /var/ipfire/ovpn/openvpn-authenticator, but at this point, I cannot tell if the issue is in my configuration, or if the script does not handle my use case correctly.

Is anyone running this configuration, or has a hint for me?

Thanks!

Hi,

from what I gathered from the other thread, you are running the standard OpenVPN client on Windows. Unfortunately, I do not have experience with that particular OpenVPN client software when it comes to OTP - on Linux clients, however, OpenVPN behaves properly when reauthenticating and asking for a new OTP.

Since IPFire’s OpenVPN server does not difference between client operating systems in that regard, I assume the problem is related to your OpenVPN client, rather than IPFire. :slight_smile:

Thanks, and best regards,
Peter Müller

Hi Peter,

thank you for the response. I use indeed the OpenVPN Client (community, v2) on Windows. I will perform the same test with the Linux client and compare, that is a good tip. What would be the reference setup, e.g which client exactly is behaving correctly? If relevant, I can use any recommended distribution too.

Best regards
Olivier

Hi,

looking at Release Notes for OpenVPN Connect on Windows, the latest release of OpenVPN Connect is 3.5.0 (relased on July 18), so as a good first step, ensuring that your system is running the latest version of the VPN client is probably a sensible thing to do. Perhaps whatever issue you are facing has already been fixed meanwhile, not to mention all the security-relevant bugs… :slight_smile:

Thanks, and best regards,
Peter Müller

Hi Peter,

OpenVPN2 and OpenVPN3 (Connect) are different beasts, both are still maintained. See here for more details: https://openvpn.net/vpn-server-resources/which-version-of-openvpn-to-use/
There is a reason why we use the community version, but I do not have it right now.

Could you just let me know the reference configuration where the OTP works as expected? I will set it up, whatever it is, and then try to pinpoint the issue.

Thanks!

Olivier

1 Like