OpenVPN with OTP and static-challenge

[olivierfaber]

The OpenVPN client has a nice option to add a challenge/response input box to enter a OTP, however I can't figure out how this should work in OPNsense.

I configured OpenVPN with google authenticator (which works), but it requires my colleagues to enter the number in front of the password. I feel it would be much more user friendly if we could use the "static-challenge" option in the client (screenshot attached).

Just setting the static-challenge option in the client gives a "SIGUSR1[soft,auth-failure] received, process restarting".

Has anyone tried to configure it like this? Is it even possible?

[guywyers]

I had this working too in a config with openvpn on a standalone linux box.

I even patched two openvpn plugins (https://github.com/threerings/openvpn-auth-ldap and https://github.com/evgeny-gridasov/openvpn-otp) to get it to work.

Although I'm a huge fan of OpnSense, I never succeeded in getting this to work and would love to see it on the feature list.

For it to work, the password that is returned from the client needs to be processed in a specific way. This in turn requires the authentication module (whatever that is) to 1/ be aware that it is not the usual password it is receiving and 2/ to do the specific processing to split up the normal password and the otp reply.

[tbandixen]

I would realy love to see this feature on the roadmap!

(Viscosity has this feature too.)

[franco]

Tickets please, you guys and gals know the drill... :)

[tbandixen]

Feature request opened.

To keep things together here is the issue https://github.com/opnsense/core/issues/3290.

[tbandixen]

As AdSchellevis mentioned:

Code Select Expand

opnsense-patch 2c2eca7
will do the trick