OTP Authentication

Good day,

I have created a new OpenVPN certificate with OTP.

With that that being said, I have installed the OpenVPN certificate on my laptop and when prompted for the OpenVPN certificate, I then type it in however, the OpenVPN connection window then states that a ‘push request’ has been sent over several lines. Please note that I expected the push request to bring up a window where I could type in the two-factor authentication generated from the mobile app but it unfortunately never pops-up a window. Do you perhaps know what could be causing this?

OTP works only in a windows client, community edition.

Thanks for your response.

Please note that I am using OpenVPN Community Edition 2.6.5 (windows client) and unfortunately the following message still persists within the connection window: ‘Push Request (Status=1)’

The error is always the same, the server requests the OTP from the client, which does not send it. All the OpenVPN Connect clients have this problem with OpenVPN server from IPFire. I do not use Windows so I cannot test this myself, however several people have reported success using that client. Hopefully someone will reply to help you out.

Well noted and just for interest sake - I made use of the Google Authenticator mobile application to add the OpenVPN OTP pin. Do you know what is most commonly used either than the mobile app I used?

Add this lines to OpenVPN config file (*.ovpn)

static-challenge “Enter your OTP” 0

And maybe this line for OpenSSL 1.1 support

providers legacy default

With default config you have disconnect after 1h. To extend the time add

reneg-sec 28800

Hi Sven,

Thank you for your response. Please note that the following lines: auth-user-pass,
static-challenge “Enter your OTP” 0 enable the required token window to appear.

However, the following line: auth-user-pass eventually brings up a window where one needs to type in a username and password which is essentially not relevant to what we need and in past experiences, I used it for Google two-factor authentication. Is there perhaps another string of lines I could add to the config file to prevent the effect experienced?

Check if your config file include this lines

auth-token-user USER
auth-token TOTP
auth-retry interact

Hi Sven,

Thank you for your response.

Yes. Kindly note that the OpenVPN certificate already had those line item.

The Problem is still there.

But @thato when its help. I tested it with several Clients and the only Community Client what works with OTP without Problem is still the Version 2.5.7, released on 31 May 2022.

Try this Version, it will work. But do not forget to write this one line under tls-client. Like this

reneg-sec 36000

This is important so that you don’t get kicked out after an hour.

Good day Sergio,

Thank you for your response. It is much appreciated as well as noted.

Please note that I will ensure to test OTP authentication whilst making use of the OpenVPN version mentioned below and advise accordingly on the outcome thereof.

Kind Regards

Thato Phatedi, PROFILE DATA Tel:+27-11-728-5510 Email:thato@profile.co.za ProfileData is a specialist provider of investment data, both in electronic and print format. Profile Media publishes the Stock Exchange Handbook, the Unit Trusts and Collective Investments Handbook. Visit us at www.profile.co.za for product information, or www.sharedata.co.za for up-to-date listed company data and www.fundsdata.co.za for unit trust information.

----------------------- Original Message -----------------------

With OpenVPN Community Client 2.6.x you need in the config
providers legacy default

Explained here New OpenVPN 2.6.0 Client (Windows 10 64bit) fails to connect - #4 by bonnietwin

Since Core Update 175, when openssl-3.x was installed in IPFire, that is only needed if you are still using old connections using legacy certificates. If it is a newly created connection/certificate then it will not need the legacy line.
If old connections with legacy certificates are restored from backup then the code in IPFire will automatically add the providers legacy default to the config file.

See this wiki note about the transition to OpenSSL 3.

Adding the two following lines inside the *.ovpn solve my problem with the Core-uptate 182 and the OpenVPN Community Client version 2.6.8. Before adding those two lines, no pup-up window is present to enter the OTP number for the F2A authentication.