Openvpn OTP challenge only?

[epoch]

First off I want to say I enjoy OPNsense 22.7 on PCEngines APU2 tremendously. Thank you, all.

I have recently setup OpenVPN on a gateway (found your howto mostly fine) for the usual remote admin use-case. Works a treat.

I am now setting up another VPN instance for peer to peer collaboration between road-warriors. In this case I only rely on certificate-based authentication as I don’t really care for creating an unprivileged user in the router for each roadwarrior device.

I would have liked to be able to define in addition an OTP seed for each certificate and use it as password; akin to creating a local user with an empty password+its OTP seed, but bypassing the worrying passwordless user account aspect.
I remember having done that on Linux with the right PAM options.
I believe, requiring an OTP code is manageable even in almost batch setup (nowadays I tend to put VPN clients in containers if I can), and nicely enhances security in case of laptop theft, for example.

Do you think this makes sense? Any takers for this kind of setup besides me?