OpenVPN client Support MFA tokens in Configuration Settings Page

[Xboarder56]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I'm trying to configure a client VPN on OPNsense to connect to a openvpn server which requires MFA to connect. It doesn't support password+totp. Trying to just append the token at the end of the password just causes it to hang.

However when testing the config on the command line it prompts for username then password then MFA code. This connects successfully while the previously mentioned method just hangs.

Describe the solution you like

Potentially have a checkbox for MFA based OpenVPNs in the client side settings so you can provide the MFA code require to authenticate.

Describe alternatives you considered

I haven't found any other alternatives for this besides running it on another box. The CLI method does work so it appears to be a configuration issue within the GUI.

Additional context

The options that control this in the openvpn.config seem to be:

static-challenge "Enter Authenticator Code" 1
auth-user-pass

When I set these manually via the advanced options it gives an error about no TTY being available:

neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'CHALLENGE: Enter Authenticator Code'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

What the CLI method shows when attempting to auth:

root@OPNsense:~ # openvpn --config config.ovpn
2021-08-10 15:26:34 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-08-10 15:26:34 OpenVPN 2.5.3 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 22 2021
2021-08-10 15:26:34 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Auth Username:user
Enter Auth Password:
CHALLENGE: Enter Authenticator Code111111

Logs when trying password+totp inside of the password box

2021-08-10T15:32:38 openvpn[76595]  MANAGEMENT: Client disconnected  
2021-08-10T15:32:38 openvpn[76595]  MANAGEMENT: CMD 'state all'  
2021-08-10T15:32:38 openvpn[76595]  MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock  
2021-08-10T15:32:37 openvpn[76595]  MANAGEMENT: Client disconnected  
2021-08-10T15:32:37 openvpn[76595]  MANAGEMENT: CMD 'state all'  
2021-08-10T15:32:37 openvpn[76595]  MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock  
2021-08-10T15:32:37 openvpn[76595]  MANAGEMENT: Client disconnected  
2021-08-10T15:32:37 openvpn[76595]  MANAGEMENT: CMD 'state all'  
2021-08-10T15:32:37 openvpn[76595]  MANAGEMENT: Client connected from /var/etc/openvpn/client4.sock  
2021-08-10T15:32:36 openvpn[76595]  UDPv4 link remote: [AF_INET]%REMOVED%:1194   
2021-08-10T15:32:36 openvpn[76595]  UDPv4 link local: (not bound)    
2021-08-10T15:32:36 openvpn[76595]  Socket Buffers: R=[42080->42080] S=[57344->57344]    
2021-08-10T15:32:36 openvpn[76595]  TCP/UDP: Preserving recently used remote address: [AF_INET]%REMOVED%:1194
2021-08-10T15:32:36 openvpn[76595]  Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication     
2021-08-10T15:32:36 openvpn[76595]  Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication     
2021-08-10T15:32:36 openvpn[76595]  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts    
2021-08-10T15:32:36 openvpn[76595]  WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.   
2021-08-10T15:32:36 openvpn[76595]  WARNING: using --pull/--client and --ifconfig together is probably not what you want     
2021-08-10T15:32:36 openvpn[76595]  MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client4.sock    
2021-08-10T15:32:36 openvpn[47782]  library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10   
2021-08-10T15:32:36 openvpn[47782]  OpenVPN 2.5.3 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 22 2021  
2021-08-10T15:32:36 openvpn[47782]  WARNING: file '/var/etc/openvpn/client4.up' is group or others accessible    
2021-08-10T15:32:36 openvpn[47782]  DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

[AdSchellevis]

reverse token order isn't checked in the token setup, this sounds like https://github.com/opnsense/core/issues/3290#issuecomment-470026999 ?

[Xboarder56]

I don’t have any control over the token, this is a 3rd party that provided a TOTP And trying to leverage it with the client gui in opnsense.

[AdSchellevis]

o never mind, you want OPNsense as client to use totp, I misread there. I don't think there will be a sequence that supports this as it should always wait for user interaction to enter the token. You can always create a tunnel manually from OPNsense (as you would do on a separate machine) and handle it there, since automatic startup isn't going to work anyway.

[Xboarder56]

yeah gotcha, Was thinking it would be nice to have the ability to manually start up the tunnel after entering in your TOTP and because it has no expiration time it would be fine.

Yeah I guess I could find a way to do it via the command line and try to add a route to the firewall itself manually? is that even possible?

[AdSchellevis]

you should be able to attach the interface in the gui, maybe rename it first to make sure it can't overlap with anything. If there's an interface, the rest should be more or less standard.

[Xboarder56]

awesome, i’ll give it a go! @AdSchellevis for all you do for the community and opnsense!

[Xboarder56]

@AdSchellevis one small hiccup, I launched the vpn from the cli and it successfully connected and I can ping across the tunnel (it’s a tun0 when running ifconfig on opnsense), I can see the routes in opnsense’s gui.

When i do a tcpdump -i tun0 over the tunnel I can see my syn packets but I never get anything returned back to the local endpoint. It seems like the return traffic isn’t getting routed back through opnsense almost.

[AdSchellevis]

@Xboarder56 it's probably a good idea to exclude source (policy based) routing as a cause, in Firewall/Settings/Advanced check "Disable reply-to" and "Disable force gateway", next also make sure an interface is assigned and firewall rules exist.