What you're looking for is the openvpn challenge/response protocol, which can be used when authentication is done via the management interface.
https://openvpn.net/community-resources/management-interface/ describes it a bit. I know that the MFA portion of the management interface system I wrote (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP tokens via static challenge (which is where you put the "static-challenge" directive in the client config) as well as concatenating them with the password. Unfortunately, as far as I can tell, static and dynamic challenge-response isn't available if you're using a plugin or script for authentication. So if you're ready to take the plunge into using the management interface, you can do it. Otherwise, you're stuck with concatenating the OTP token to the password. On Tue, Apr 20, 2021 at 3:59 PM Bogdan Rudas via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > > Hello! > > I've read a couple of guidelines regarding MFA with OpenVPN and all of them > mention that the 2nd factor could be either sent as password (with client > cert auth) or appended to the password string. Well, people tend to enter a > password when they see the password field. > At the moment the only straightforward and more or less human-friendly way to > set up login+password+2fa authentication is to use a kind of 'push token' MFA > (so the user confirms login in some mobile application). > OTP, password cards and any other way that demands text input from the user > demands to much from the users, they need blindly enter the password, then > type 2nd factor, can't see what they type and don't even know if > authentication failed because of wrong password or wrong OTP numbers (for > example). > Is it possible to ask the user for the 2nd factor like OpenVPN client asks > for login and password and send discrete error messages for password and for > 2nd factor failures? > > Thank you. > -- > Bogdan Rudas > Director of IT Europe > Exadel Inc. > http://www.exadel.com/ > E-mail: bru...@exadel.com > Skype ID: bogdan.rudas > > > > CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. > If you are not the intended recipient you are hereby notified that using, > copying, distributing or taking any action in reliance on the contents of > this information is strictly prohibited. If you have received this email in > error please notify the sender and delete this email. > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
