leocape
commented
3 years ago Closed as I think this was due to using 2.3. Using 2.4 worked correctly although the instructions were a little different to what happened - eg when setting up the 2FA auth for the client, it did not ask to test and verify the account number, it just spat out the account it key to be added to the authenticator app - which worked fine.
The username and password are now checked correctly
Using version 2.3 With Cypher: cipher AES-256-OFB
When connecting to the VPN with a 2FA enabled user the username and password prompt shows as expected, but entering in an incorrect code (or a blank code) does not reject the connection request, the connection succeeds.
Following the debug steps at the bottom of the article confirmed that the config is correct
These are the steps I took:
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.3 easyrsa build-client-full USER2FA nopassdocker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.3 ovpn_otp_user USER2FAdocker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn:2.3 ovpn_getclient USER2FA > USER2FA.ovpnOne thing I've tried both using and not using is this step below as mentioned in the doc, as it appears after doing this that it then changes the 2FA account key generated from step 2 above, which means the client needs to delete that first account and add this one instead? Not sure how to use step 2 above and this line together then. (Does not seem to make a difference to the client not needing to add the 2FA code when connecting):
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticatorThis is the resulting config file: