how to Request openVPN Client to prompt for (TOTP) in a second popup

[vincentR]

I'm running a solution with and windows NPS as radius authentication server.
The radius server request additionnal challenge after user/passwd (in a second step).
It works more or less:
The user get prompted a first time with username/password, then a second time with the same popup window.(still asking for user and password).
 If I fill in the TOTP, then the authentication succeed and the client is connected.

But, this is really not user intuitive or friendly.
I would like the openVPN client to prompt the user / password in first step, as it is now, but then, for the second challenge, it should show up with a new popup windows, with a single field : "please enter OTP".
How can I acheive that ?
It should be possible, as I can see that miniorange is proposing it with the openvpn client.


Here are the logs of a successfull connexion:
First, at 12:14:44, the authentication is rejected
the connexion seems to be restarted and accepted the second time with the TOTP.
I think something more "clean" would be nicer


2021-10-15 12:14:37 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-10-15 12:14:37 OpenVPN 2.5_rc3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 19 2020
2021-10-15 12:14:37 Windows version 10.0 (Windows 10 or greater) 64bit
2021-10-15 12:14:37 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-10-15 12:14:42 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:42 UDP link local (bound): [AF_INET][undef]:0
2021-10-15 12:14:42 UDP link remote: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:42 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-10-15 12:14:43 [wwww] Peer Connection Initiated with [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:44 AUTH: Received control message: AUTH_FAILED
2021-10-15 12:14:44 SIGUSR1[soft,auth-failure] received, process restarting


2021-10-15 12:14:57 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:57 UDP link local (bound): [AF_INET][undef]:0
2021-10-15 12:14:57 UDP link remote: [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:57 [xxxxxx] Peer Connection Initiated with [AF_INET]xxxxxx:yyyy
2021-10-15 12:14:57 open_tun
2021-10-15 12:14:57 tap-windows6 device [Connexion au réseau local 4] opened
2021-10-15 12:14:57 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.14.6/255.255.255.252 on interface {xxxxx} [DHCP-serv: 10.0.14.5, lease-time: 31536000]
2021-10-15 12:14:57 Successful ARP Flush on interface [13] {xxxxx}
2021-10-15 12:14:57 IPv4 MTU set to 1500 on interface 13 using service
2021-10-15 12:15:02 Initialization Sequence Completed

[meschmesch]

Is there a solution to this problem?

I would like the openVPN client to prompt the user / password in first step, as it is now, but then, for the second challenge, it should show up with a new popup windows, with a single field : "please enter OTP".
How can I acheive that ?

[Reiner030]

Even this topic is old - for people which have similar problem:

This is a client config "problem" - you have to add (manually) following line to get a 2nd OTPpopup window - which would be nice to have also added as an option for the client wizzard:

Code: [Select]

static-challenge "Please enter your OpenOTP PIN" 1
Here is important that the client is requesting the OTP token before connection try and is sending directly "<OTP><PASSWORD>" to the OpenVPN server somehow not using the OpenVPN challenge mode already implemented since 2019.

Maybe this behavior is only because server isn't also running static-challenge mode by defaullt in OPNsense when using an TOTP authentication backend?
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

--static-challenge t e
Enable static challenge/response protocol using challenge text t, with echo flag given by e (0|1).The echo flag indicates whether or not the user's response to the challenge should be echoed.
See management-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol.

Optionally you can set also a profile name for client - which would be also a nice feature for OpenVPN setup in OPNsense wizzard - using this client configuration line:

Code: [Select]

setenv FRIENDLY_NAME "Reiners OPNSense Test"


[meschmesch]

Hi,
thanks for the idea. Of course I can add

Code: [Select]

static-challenge "Enter Authenticator Code" 1 at the client which then requests seperately password and OTP. But how does the server know how to handle this information? The server has to be somehow instructed how to concatenate the PWD+CODE.

[Reiner030]

Hi,
thanks for the idea. Of course I can add

Code: [Select]

static-challenge "Enter Authenticator Code" 1 at the client which then requests seperately password and OTP. But how does the server know how to handle this information? The server has to be somehow instructed how to concatenate the PWD+CODE.

because it's implemented since 2019
https://github.com/opnsense/core/issues/3290
and fixed again in 2023 after accidently remove when switching to MVC / new script in:

Code: [Select]

$ git show -p b528952260
commit b5289522604b7863a5b3bd8c8a5a21a334b1f59c
Author: Ad Schellevis <ad@opnsense.org>
Date:   Thu Mar 16 10:26:43 2023 +0100

    VPN/OpenVPN - add missing static-challenge parsing, should fix https://forum.opnsense.org/index.php?topic=32939.msg159861#msg159861

diff --git a/src/opnsense/scripts/openvpn/user_pass_verify.php b/src/opnsense/scripts/openvpn/user_pass_verify.php
index 7aebdf282..3fb4be2c8 100755
--- a/src/opnsense/scripts/openvpn/user_pass_verify.php
+++ b/src/opnsense/scripts/openvpn/user_pass_verify.php
@@ -96,6 +96,18 @@ function do_auth($common_name, $serverid, $method, $auth_file)
     if (empty($username) || empty($password)) {
         return "username or password missing ({$method} - {$auth_file})";
     }
+    if (strpos($password, 'SCRV1:') === 0) {
+        // static-challenge https://github.com/OpenVPN/openvpn/blob/v2.4.7/doc/management-notes.txt#L1146
+        // validate and concat password into our default pin+password
+        $tmp = explode(':', $password);
+        if (count($tmp) == 3) {
+            $pass = base64_decode($tmp[1]);
+            $pin = base64_decode($tmp[2]);
+            if ($pass !== false && $pin !== false) {
+                $password = $pin . $pass;
+            }
+        }
+    }
     $a_server = $serverid !== null ? get_openvpn_server($serverid) : null;
     if ($a_server == null) {
         return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}";

The main problem is here only the the "into our default pin+password" which is wrong against default order which is globally password+otp_token ...