Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: AndreK on January 16, 2022, 06:03:45 PM

Title: OpenVPN Login with Certificate and OTP
Post by: AndreK on January 16, 2022, 06:03:45 PM
Hello togehter,

Can someone tell me if its possible to use OpenVPN with certificate and OTP Token (Google Auth).
I dont wont to use usernames and Passwords.

At the Moment i use ipsec vpn's without OTP. Now i want to change to OpenVPN and will increase the security little bit.

In the documents i only find the way with only cert or with cert and username/pw and OTP.

Kind regards

Andre
Title: Re: OpenVPN Login with Certificate and OTP
Post by: BusinessTux on January 17, 2022, 10:18:34 AM
Hi Andre,

yes you can. I always wanted to say that  ;D.

You have to configure a TOTP-Server under System > Access > Servers.
I recommend the option "Reverse token order" for better usability.

More on https://docs.opnsense.org/manual/how-tos/two_factor.html

Then you have to "Generate new secret (160 bit)" in the user.

And last you have to use this auth server in the OpenVPN-Configuration.

I've using this with additionally tls certificates
Title: Re: OpenVPN Login with Certificate and OTP
Post by: AndreK on January 17, 2022, 08:40:11 PM
Quote from: BusinessTux on January 17, 2022, 10:18:34 AM
yes you can. I always wanted to say that  ;D.

I can remember hearing that phrase before.  ;)

But if i choose SSL/TLS + User Auth does he not ask for user and password?

I try to follow this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

At the Point "Adding a User" i have to set a user and password. Without i cant create a User.

Kind regards

Andre

Title: Re: OpenVPN Login with Certificate and OTP
Post by: BusinessTux on January 18, 2022, 06:56:38 AM
Yes, you're right. I haven't read, that you don't want a user.

Without user and password there is no way in my opinion.

Only TOTP isn't available as access server in OPNsense.
Title: Re: OpenVPN Login with Certificate and OTP
Post by: AndreK on January 19, 2022, 06:19:01 PM
Quote from: BusinessTux on January 18, 2022, 06:56:38 AM
Only TOTP isn't available as access server in OPNsense.

i found this:
https://www.howtoforge.com/securing-openvpn-with-a-one-time-password-otp-on-ubuntu

The question will be, will it work with opnsense
Title: Re: OpenVPN Login with Certificate and OTP
Post by: BusinessTux on January 19, 2022, 06:27:26 PM
QuoteSo, the next time you login to your OpenVPN server you will be promped for an additional password. Provide the 6 digit passcode and you will gain access.

This is for Ubuntu, not for a FreeBSD based System. An there is written: ... an additional password ...
Title: Re: OpenVPN Login with Certificate and OTP
Post by: AndreK on January 21, 2022, 09:02:07 PM
Correct its for Ubuntu, but i think the OpenVPN on FreeBsd does not works different.

Sure he wants the token from you. But no username/password combination
Text only | Text with Images