dsommers
commented
2 years ago From what I see now, this probably looks reasonable. I haven't tested the code, just glared at it.
The send_auth() mechanism should be tested carefully. You can download and install OpenVPN Access Server on a virtual machine or something like that, enable two-factor auth and create a new user there. Then login to to the end-user panel as this new user and configure TOTP for that user and download a "user profile" from there (alternatively, use the openvpn3-as tool to download the profile and use openvpn3 config-dump to save the config profile to disk). But the TOTP setup must be done via web first. That way you can fully test the MFA feature.
Also, if the AS configuration profile contains static-challenge you can try to remove that line as well and see that your client still behaves properly. static-challenge will ask for the TOTP token before connecting. Without it, only username/password will be asked for and when connecting, the server will reject the connection and ask for the TOTP token and then a new connection attempt can be tried.
There is also one more authentication method used by OpenVPN Cloud; web based authentication. That method will send a URL back to the client when connecting and the front-end will need to open that URL where the credentials are entered. On success, the client connection gets fully connected. Otherwise it disconnects. You can sign up for a free OpenVPN Cloud and create a user there. Similar approach as with Access Server, login as the end user and download a new connection profile.
Both the openvpn2 (which is written in Python) and openvpn3 session-start command lines is capable of handling all these authentication methods. So it should be possible to verify the behavior there.
jkotra
WIP.
Most are related to suggestions and bugs pointed out by @dsommers in https://github.com/OpenVPN/openvpn3-linux/issues/129#issuecomment-1160611963.
intfor status codes.Ready()before connecting.Ready()net.openvpn.v3.sessions.UserInput**methods.... and other minor things..