Hi
Ia m trying to setup an OpenVPN Server with TOPT authentification ONLY. However, it does not work. The combination TOPT+Local Database works fine. So I have to enter username+TOPT and the connection works. When I deselect "local database" and only have TOPT enabled in the OpenVPN Server, it does not work anymore.
Using only the local database works fine, too.
Is there a way to use ONLY TOPT? And, preferably disconnect after a specified time?
Thank you.
Use the tester to confirm that TOTP is working -- it sounds like it isn't set up correctly. TOTP does not work stand-alone so you always have to have a password either locally or remotely via LDAP.
Also do not use TOTP+Local and Local both set for authentication, because it renders your TOTP useless since you can always log in using the password alone as a fallback.
Cheers,
Franco
Dear Franco,
yes, TOPT+passwork works perfectly. I just do not want that. I want for the OpenVPN and ONLY for specific servers a pure and only TOPT authentification (e.g. with a token tool ONLY).
If you ever tried to enter on a mobile phone a password and then the token you will find that you are typically not fast enough.
I have also no idea if a longer TOPT would be possible, e.g. 10 digits instead of 6 (in google authentification or so) and this to be used as a one time password generator. That would be a pretty cool option for the passwords, I believe.
Cheers
At the moment there are no plans to provide a TOTP-only authentication. It makes sense as a second factor but not as a primary authentication method. Time-based authentication is problematic and it would be far better to use something like a RADIUS where you could configure safer token-only login capabilities and use it from OPNsense.
Cheers,
Franco