Add support to otp token invited by email after authentication request

adrienverge / openfortivpn

Client for PPP+TLS VPN tunnel services

GNU General Public License v3.0

2.7k stars 320 forks source link

Add support to otp token invited by email after authentication request #517

Closed augustodossantosti closed 4 years ago

augustodossantosti commented 4 years ago

I'm trying to connect on a network that sends an email with a token after connection request although a prompt for password appears on terminal the email with a valid token isn't send.

On linux I use openfortgui https://github.com/theinvisible/openfortigui that has openfortvpn at the core and everything works fine. After a request a prompt appears, I check my email, copy the token and then use it to connect.

DimitriPapadopoulos commented 4 years ago

@augustodossantosti It works with openfortgui which as you say is a GUI built upon openfortivpn. So openfortivpn does seem to work.

Maybe you're testing the latest version 1.11.0 of openfortivpn from the command line vs. a previous version of openfortivpn from openfortgui. Is that the case?

augustodossantosti commented 4 years ago

Exactly. I'm using the latest version from command line with a config file on MacOS Catalina.

$ openfortivpn -c [path-to-file]/config

config content:

host = [my-host-ip]
port = 10443
username = [my-username]
password = [my-password]
set-routes = 1
set-dns = 1
pppd-use-peerdns = 0

Unfortunately there is no version of openfortigui for macos

mrbaseman commented 4 years ago

maybe try with -v -v -v and check the debug output (be cautious when posting it, there are cleartext passwords in there)

DimitriPapadopoulos commented 4 years ago

Also I'm not certain about what is the expected behaviour. Based on your experience, should openfortivpn ask for the token only or for both the token and a password?

I'm asking because your config file contains a password directive which may instruct openfortivpn not to ask for a token and use the password instead:

password = [my-password]

What happens if you remove the password line from the config file?

mrbaseman commented 4 years ago

Given the fact that the email is sent when connecting with forticlient, the mechanism itself works. The email should be sent when the user logs in with username and password. I was thinking in two directions:

either the password is not correct (typo in the config or an encoding problem with special characters) which one might see in the verbose debug output
or there is some other error (which one might see in the http response

It's also not clear what you are exactly seeing. You have a password in the config file and you write that there is a password prompt. Is it the prompt for the VPN password, or is it the OTP token prompt? Or, now that I am writing, I realize that it could also be the prompt for the sudo password which is required before openfortivpn is doing anything.

augustodossantosti commented 4 years ago

Some settings were missing in the connection configuration file as well as the password set in the file were incorrect. Sudo password also were required. After adjusting these details the connection worked as expected.

These two parameter were added

pppd-use-peerdns = 1 trusted-cert = [certificate]