OpenVPN Login with Certificate and OTP

Started by AndreK, January 16, 2022, 06:03:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 16, 2022, 06:03:45 PM Last Edit: January 17, 2022, 10:12:22 PM by AndreK
Hello togehter,

Can someone tell me if its possible to use OpenVPN with certificate and OTP Token (Google Auth).
I dont wont to use usernames and Passwords.

At the Moment i use ipsec vpn's without OTP. Now i want to change to OpenVPN and will increase the security little bit.

In the documents i only find the way with only cert or with cert and username/pw and OTP.

Kind regards

Andre
January 17, 2022, 10:18:34 AM #1
Hi Andre,

yes you can. I always wanted to say that  ;D.

You have to configure a TOTP-Server under System > Access > Servers.
I recommend the option "Reverse token order" for better usability.

More on https://docs.opnsense.org/manual/how-tos/two_factor.html

Then you have to "Generate new secret (160 bit)" in the user.

And last you have to use this auth server in the OpenVPN-Configuration.

I've using this with additionally tls certificates
January 17, 2022, 08:40:11 PM #2
Quote from: BusinessTux on January 17, 2022, 10:18:34 AM
yes you can. I always wanted to say that  ;D.

I can remember hearing that phrase before.  ;)

But if i choose SSL/TLS + User Auth does he not ask for user and password?

I try to follow this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

At the Point "Adding a User" i have to set a user and password. Without i cant create a User.

Kind regards

Andre

January 18, 2022, 06:56:38 AM #3
Yes, you're right. I haven't read, that you don't want a user.

Without user and password there is no way in my opinion.

Only TOTP isn't available as access server in OPNsense.
January 19, 2022, 06:19:01 PM #4
Quote from: BusinessTux on January 18, 2022, 06:56:38 AM
Only TOTP isn't available as access server in OPNsense.

i found this:
https://www.howtoforge.com/securing-openvpn-with-a-one-time-password-otp-on-ubuntu

The question will be, will it work with opnsense
January 19, 2022, 06:27:26 PM #5
QuoteSo, the next time you login to your OpenVPN server you will be promped for an additional password. Provide the 6 digit passcode and you will gain access.

This is for Ubuntu, not for a FreeBSD based System. An there is written: ... an additional password ...
January 21, 2022, 09:02:07 PM #6
Correct its for Ubuntu, but i think the OpenVPN on FreeBsd does not works different.

Sure he wants the token from you. But no username/password combination
Print
Go Up Pages1
User actions