Textbox for 2fa security code

[nognomar]

Could you please add an optional additional text box for one-time passwords for cases where connecting to the VPN requires a combination of a permanent password and OTP? It would be convenient to have the option to save the permanent part of the password and only input the OTP.

[schwabe]

That seems like your setup uses a non-standard way to request 2FA and having it as part of the password. The normal OpenVPN methods (static-challenge, dynamic-challenge and crtext) do not need to split password method.

[nognomar]

@schwabe This is the second company where I've encountered such an approach. Moreover, some VPN clients, like Tunnelblick, implement this functionality, and when I was using a mac, it was a great help to me. I think that since the authors of Tunnelblick have implemented support for combining a password and OTP, this functionality is still in demand, even though it's not encountered frequently.

[zsolks]

I have the same problem with one company. All the time we used OpenVPN GUI for Windows to connect to them remotelly. Everything was fine.
Now they enabled 2FA. During loging to them I always see info AUTH_FAILED. There is no window to put 2FA code, no popup window.
So we have to use Stormshield SSL VPN Client to connect to them, but we prefer OpenVPN GUI

[schwabe]

@zsolks that seems to be more that those products seem to blatenly ignore the normal methods to use 2FA with OpenVPN.

[cron2]

client logfile or it did not happen... 2FA in a combined password (secret+token) works just fine, you just need to ensure that you do not check "[x] save password" in GUI

[cron2]

@schwabe well... so do we... it's an old setup, and the OTP handling is done in the PAM stack, so it wants "secret+token in the password field". Of course it could be modernized, but since it works as is and users know how to get in, I never felt like investing time.

[schwabe]

The best way we can probably do is to have a --static-challenge flag or similar that produces the password+otp token format instead of the SCRV1:<password_base64>:<response_base64> that is normally used when you use static-challenge

[zsolks]

@zsolks that seems to be more that those products seem to blatenly ignore the normal methods to use 2FA with OpenVPN.

I do not know, but Stormshield works. :/

Im, not admin and never setup openvpn server yet so I, can't polemize with youre technical stuff.
But i know, that client-company give me files to OpenVPN like:

CA.cert.pem
config.ini
openvpnclient.cert.pem
openvpnclient.pkey.pem
openvpn_client.ovpn

like always, and it was working, until now, until They enabled 2FA.
So I had to use Stormshield Client, also is based on OpenVPN.
I was serching to solve that problem and on https://binsec.wiki/en/security/howto/protect-hardening/authorization-and-authentication/openvpn-configure-2fa-google-authenticator/ found, that in the file .ovpn shuld be defined parameter auth-user-pass. In my files this parameter is defined, but 2FA is not working.

@cron2 I do not save and not checked checkbox save password.
Log directory is empty.

Maybe this information help somebody to solve problem.
Is it any way to enalble log file in OpenVPN GUI for windows?

Maybe attachments help to solve some problems, give look on my config, and situation

config.ini

timeout=14400

openvpn_client.ovpn

client
dev tun
cipher AES-256-CBC
data-ciphers AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA256
nobind
resolv-retry infinite
persist-key
persist-tun
hand-window 60
remote X.X.X.X 1194 udp
remote X.X.X.X 4433 tcp
ca "CA.cert.pem"
cert "openvpnclient.cert.pem"
key "openvpnclient.pkey.pem"
compress lz4
verb 0
auth-user-pass
auth-retry interact
auth-nocache
reneg-sec 0

[unclesam87]

That seems like your setup uses a non-standard way to request 2FA and having it as part of the password. The normal OpenVPN methods (static-challenge, dynamic-challenge and crtext) do not need to split password method.

opnsense openvpn integration works that way for example - so we have the same problem with all our opnsense customers - as this method (password+otp in one field) is way too inconvient we couldnt convice any of our customers to add an otp that would be so badly needed to improve our security. so any "hack" or adding of an optional additional field for that way to implement an otp would be a great improvment for us

[selvanair]

That seems like your setup uses a non-standard way to request 2FA and having it as part of the password. The normal OpenVPN methods (static-challenge, dynamic-challenge and crtext) do not need to split password method.

opnsense openvpn integration works that way for example - so we have the same problem with all our opnsense customers - as this method (password+otp in one field) is way too inconvient we couldnt convice any of our customers to add an otp that would be so badly needed to improve our security. so any "hack" or adding of an optional additional field for that way to implement an otp would be a great improvment for us

Its unclear to me what exactly the question is, if there is one. There is no hack required. OpenVPN-GUI out of the box supports inputting password and OTP as separate fields. Depending on how MFA is enforced by the server, this may require static challenge in the client config or no changes to the client config at all.

The simplest option is to use the so-called "static challenge": the GUI dialog will have three fields for username, password, and OTP, it will internally encode them following the static-challenge protocol and submit to the server. On the server side, auth-pam plugin can handle the base64 response submitted that way. There may be other plugins which work too, or writing a script to parse the static-challenge response is not hard.

[schwabe]

If you really need this different behaviour, I suggest that you implement a patch for OpenVPN 2.x (and probably also 3.x) that allows an argument for static-challenge to switch to this different (inferior) encoding to append password and challenge without base64 encoding. There will be probably no one else taking up that task since decoding the normal static-challenge on the server side with whatever auth backend you are using is trivial enough and does not require new clients to be installed everywhere.

[DidierLoiseau]

I’m currently working on a project where authentication requires password+OTP concatenation. This is indeed quite annoying since it does not allow saving the password, nor echoing the OTP (I tried static-challenge but it does not work).

From reading this forum thread, it seems to be a common issue with RADIUS.

[selvanair]

The problem is not with RADIUS, but the radius plugin for OpenVPN. I do not know who maintains it but it should be easy to fix -- we have the necessary functions to pick apart static challenge response in auth-pam plugin. The radius plugin could copy it.
Alternatively it may be possible to use the auth-pam plugin and setup pam-radius module in PAM.

[cron2]

If radius is only used for authentication, plugin-auth-pam + pam-radius is the best choice.

radiusplugin is currently unmaintained, and known buggy. There are a number of forks, but no real "new and well maintained" one. As far as I know the best-maintained one is the one from @ValdikSS and he has given up on it, because, too complex, too buggy. The benefit of radiusplugin over using PAM is that you can also have ifconfig and iroute and everything in radius - but if you do not need that, "too complex".

[DidierLoiseau]

The thing is, even when those plugins get fixed, people still have to deal with servers using the old version, so support in the client would remain useful.

(I understand well that you don’t want to put effort in this, and that contributions are welcome)

[selvanair]

To support these nonstandard behaviour one would have to construct something like "password:OTP". But then what happens if password contains ':' character? Or, some may want a different separator or assume OTP to be a fixed number of digits.. It would be such an ugly hack that has no place in the GUI or OpenVPN (IMHO). So "contributions are welcome" is not my stand on this.

Either fix the server-side processing (its not at all hard to parse the SCRV1 format), or continue to just manually submit the password as "password:OTP". I do not see any "old servers" issue here. Updating server is so much easier to deploy than updating numerous clients.

[DidierLoiseau]

I wanted to give it a shot, so I implemented something in 458fcc3. To use it, you must create a REG_BINARY key named totp-concat with the value 01 under HKCU\Software\OpenVPN-GUI\configs\<config-name>. After that, connecting to that config will show the TOTP response field, with echo enabled.

I went for a registry key because:

• this seems to be something more related to OpenVPN GUI than OpenVPN itself
• it is already the GUI that deals with the SCRV1 encoding
• .ovpn files are not directly processed by the GUI
• consequently, modifying the static-challenge setting (or adding a new one) would have also required to change the communication protocol between OpenVPN and the GUI (possibly affecting other management interfaces)

Just to reply to @selvanair:

But then what happens if password contains ':' character? Or, some may want a different separator or assume OTP to be a fixed number of digits.

My understanding is that these implementations just take the last 6 digits (no separator or prefix is needed) but I agree that maybe it won’t work for everyone.

Either fix the server-side processing (its not at all hard to parse the SCRV1 format), or continue to just manually submit the password as "password:OTP". I do not see any "old servers" issue here. Updating server is so much easier to deploy than updating numerous clients.

Unfortunately I have no control on the server-side of things. I am just a poor user who has to deal with this server. I have asked to change it and the answer was that they don’t have the time for this. To be fair, it’s probably not just a matter of updating the server, since proper testing must be done upfront. Moreover, requesting a static challenge would require everyone to change their ovpn config file. And as one says: if it ain’t broke…

In any case, from my position, the only thing I can do is use a client that satisfies my needs.

I could submit a PR if desired.

[PiRomant]

@DidierLoiseau, perhaps a new parameter in the client config / command argument would better fit into the design of the application.
Or at least, could you add to the documentation - https://github.com/OpenVPN/openvpn-gui/blob/master/README.rst#user-preferences and submit a PR.

[DidierLoiseau]

@PiRomant the problem with the client config is that it is not used by OpenVPN-GUI, and I don’t think a command-line argument would be very convenient either (since it wouldn’t be per-connection).

I think what could be done instead is to add a checkbox for it, and always display the field (disabled when the checkbox isn’t checked). I’m pretty sure that is what TunnelBlick does (see it described here and screenshots here and here) but I don’t have a Mac to check it. The benefit of the checkbox (and the registry key I implemented) is that it won’t try to reconnect automatically.

If I’m not wrong, you aren’t involved in OpenVPN(-GUI) development, but previous comments on this issue seem to suggest that a PR wouldn’t be accepted anyway.

[selvanair]

I went for a registry key because:

Registry keys are meant for the GUI's internal use for persisting settings. We want to have all user options set from the UI or come from the config file. Except for a couple of admin-controlled registry keys.

but previous comments on this issue seem to suggest that a PR wouldn’t be accepted anyway.

I have proposed a minor extension of the static-challenge option in OpenVPN:
https://gerrit.openvpn.net/c/openvpn/+/665

If accepted, the desired support in the GUI is very easy to implement as in here: selvanair@c4c914b

[selvanair]

If anyone wants to try this now use an executable from the CI artifacts here: https://github.com/selvanair/openvpn-gui/actions/runs/9524885876#artifacts

This one has two options for OTP concatenation: (i) a checkbox in general settings to globally enable OTP box for all configs or (ii) use --static challenge in ovpn file with a flag to override SCRV1 protocol. The latter requires support in OpenVPN.exe (not yet available).

(i) is usable without any support in OpenVPN.exe, but a side effect is that an OTP field will always appear in the auth-user-pass dialogs: one has to just leave it blank if not required. Configurations that need SCRV1-formatted response will continue to work.

[PeterEduardNis]

@selvanair
What do i have to do to have the exe file with the customization? I downloaded

but there is no checkbox for "Prompt for OTP....."

Thank you in advance

[selvanair]

What do i have to do to have the exe file with the customization? I downloaded

Extract the downloaded zip to a folder, stop any running openvpn-gui (right click, exit). Then double click on the openvpn-gui.exe in the extracted zip folder to run this patched version. Or run from command line as .\openvpn-gui.exe from that folder. Note that nothing is being installed, so the existing short cut on the desktop will continue to point to the currently installed version.

As usual, the GUI icon will show up in the tray. Go to the settings menu, "general" tab and look for the new setting at the bottom.

Make sure you are downloading from the correct link -- here it is again:
https://github.com/selvanair/openvpn-gui/actions/runs/9524885876#artifacts

[zsolks]

@selvanair For me all is working with OTP now.
I have tested it for two locations, two different clients who used OpenVpn before enable OTP, and switched to Stormshield SSL VPN Client.

Now i Can use OpenVpn to connect to them :]
Put this code on main revision
Thank You.

[PeterEduardNis]

What do i have to do to have the exe file with the customization? I downloaded

Extract the downloaded zip to a folder, stop any running openvpn-gui (right click, exit). Then double click on the openvpn-gui.exe in the extracted zip folder to run this patched version. Or run from command line as .\openvpn-gui.exe from that folder. Note that nothing is being installed, so the existing short cut on the desktop will continue to point to the currently installed version.

As usual, the GUI icon will show up in the tray. Go to the settings menu, "general" tab and look for the new setting at the bottom.

Make sure you are downloading from the correct link -- here it is again: https://github.com/selvanair/openvpn-gui/actions/runs/9524885876#artifacts

The problem was, i did not switch from German to English....
In German there is no option to "Prompt for OTP...." :-(

But thank you for your great work!!!!!

[selvanair]

The problem was, i did not switch from German to English....
In German there is no option to "Prompt for OTP...." :-(

Yes, its a WIP, changes not copied to all langauge files as yet. Will open a PR with full localization when my patch to extend static-challenge in OpenVPN core is accepted.

[selvanair]

Implemented by PRs #701 and #702. Closing.