[feature request] OpenVPN with OTP and Challenge/Response

[tbandixen]

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

• I have searched the existing issues and I'm convinced that mine is new.

Is your feature request related to a problem? Please describe.
The OpenVPN client has a nice option to add a challenge/response input box to enter a OTP, however I can't figure out how this should work in OPNsense.

I configured OpenVPN with google authenticator (which works great), but it requires to enter the number in combination with the password.

Describe the solution you'd like
I feel it would be much more user friendly if we could use the "static-challenge" option in the client.

Additional context
Just setting the static-challenge option in the client gives a "SIGUSR1[soft,auth-failure] received, process restarting".

The thread was opened by olivierfaber in the forum.
I just ported it to github, that we can discuss thing a bit nearer to the code 😄

[tbandixen]

The Viscosity Client has this nice feature too.
By setting static-challenge "Please enter your OTP code" 1 in the client settings you'll get this nice window after you entered your credentials.

I dont know yet, what needs to be changed server side. I'm totaly new in the OpenVPN topic.

[AdSchellevis]

looks doable, it seems to encode the password differently when set:

SCRV1:dGVzdA==:OTk5OTk5OTk5OQ==

is the equivalent for password test token 9999999999

[tbandixen]

Is this related to this docu?
https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt#L1120

[AdSchellevis]

yes, it seems so, specifically this:

password "Auth" "SCRV1:<password_base64>:<response_base64>"

[tbandixen]

With this request, I hope that I can save my credentials in the vpn client and only have to enter the OTP...

[AdSchellevis]

There will be one limitation, it won't support "reverse token order"

Eventually this plugin should be detached from the configuration, so I don't want to add extra knobs and switches in now.

[tbandixen]

I think there would be one extra knob, "Use seperate OTP window" (then the reverse token order should be disabled).

[AdSchellevis]

it's a client setting only

[tbandixen]

Really? Oh ok. But does the current auth code works? How can I test this?

[AdSchellevis]

patience....

[tbandixen]

Sorry 😄

[AdSchellevis]

opnsense-patch 2c2eca7 

will do the trick

[tbandixen]

It does the trick, but as you said, the limitation is that "Reverse token order" isn't selected.
And saving the credentials now works 😄

[AdSchellevis]

we might lift that limitation when working on #3266

[AdSchellevis]

@tbandixen It might be good to review and update our docs (https://github.com/opnsense/docs), if you would like to contribute on it that would be highly appreciated.

[tbandixen]

Thank you for your quick interaction. I will definately have a look. Do you have a recommended hard-/software setup to test and maybe develop on the opnsense/core repo? I have a spare notebook...

[tbandixen]

Do you have a recommended hard-/software setup to test and maybe develop on the opnsense/core repo? I have a spare notebook...

I think https://github.com/opnsense/tools would be it, right?

[AdSchellevis]

you should be able to compile the docs with the steps described here https://github.com/opnsense/docs

Thanks in advance!

[fichtner]

For core work set up a VM with OPNsense 19.1, change to development mode and update, then log into the console:

# opnsense-code core
# cd /usr/core
(edit files)
# make upgrade

[tbandixen]

Thank you, I will try both.

[tbandixen]

When will the patch be included in the releases? 19.1.3 und 19.1.4 didn't include the patch.
Works as expected with my setup (Windows 10, Viscosity Client 1.7.14 (1595))

It would be nice if the "Custom config" would be persisted, but there is another request open (I think?)

[AdSchellevis]

@tbandixen probably next version, I'll take a look at the custom config, kind of missed that one

[AdSchellevis]

@tbandixen 24c5c67 is the custom config issue, it was saved, just not loaded properly

[tbandixen]

Thank you, thats it 👍