Two OpenVPN problems: 2FA support and Perfect Forward Security disabled

ummeegge · 23 March 2023 09:17

Hello @cfusco,
try to step by step through your questions.

Understand that, it might also be an idea if the know how comes up to update the wiki ?

cfusco:

I first assumed that the clients, with the exception of the community edition for windows, do not support yet the feature. But then, I researched the alternative client for Android and from what I can gather it is supposed to work by asking for username and password, where the password is the token. Then I read the documentation regarding the use --auth-user-pass-verify in the OTP context (reported in my previous message) which seems to confirm the hypothesis that the clients can already handle 2FA. Finally, I went over Opensense and saw that they do support OTP and in their documentation they imply that OpenVPN connect will work with their scheme. Which is Username and [OTP token+password] in the password field, plus a different certificate per user, as in IPFire. Basically they have implemented a three factor authentication for OpenVPN.

You can find in here → wiki.ipfire.org - Multi-factor authentication (2FA) clients which do support TOTP for 2FA for every platform (not sure if this list is complete).
The ‘–auth-user-pass-verify’ directive in server.conf requires all clients to authenticate therefor, ‘–auth-user-pass-optional’ was used in server.conf since you can use OTP in IPFire client specific and not global.
We did it longer time ago in the OpenSense way in a longer testing period but therefor you would need a specific user database for authentication like PAM and in that case users from passwd (useradd). IPFire does not provide a user authentication database but uses the certificate common name as ‘username’ and TOTP as password instead.

If you click on the OTP symbol for enabled 2FA clients in “Client Status and -Control” you get the oathtool secret and the QR-Code which delivers the password(s)

in iOS i have heard about an already build in app for TOTP which scans the QR code via camera and adds it to you password manager.

Since Oathtool works under the hood you can use the secret from WUI (which is in base32 format) with a

oathtool --base32 {Secret: From WUI}

or in HEX format which appears in /var/ipfire/ovpn/ovpnconfig

oathtool {HEX code}

where you can generate your password. An example is also located in here

or/and e.g. → oathtool(1) — oathtool — Debian bullseye — Debian Manpages .

Where are the problems for the users ? Most of the authentication logic does openvpn-authenticator where i have read about some processing problems but also about some patches/fixes.

Hope this helps a little further ?

Best,

Erik