Closed prsquee closed 2 months ago
Interesting. The feature itself wouldn't be a big deal, but the problem is that the VPN can reconnect in any moment while the app is in the background. The app is not notified nor hooked to the reconnection event.
What's your current workaround? I need to know when's a good time to ask for a new password passcode -I assume the password doesn't change. Could it be when you enter such Wi-Fi network?
This is also relevant if you use e.g. TOTP as a second factor, together with client certificate (as first factor). The way this can be solved is using --auth-gen-token
on the server:
--auth-gen-token [lifetime]
After successful user/password authentication, the OpenVPN
server will with this option generate a temporary authentica‐
tion token and push that to client. On the following renegoti‐
ations, the OpenVPN client will pass this token instead of the
users password. On the server side the server will do the
token authentication internally and it will NOT do any addi‐
tional authentications against configured external user/pass‐
word authentication mechanisms.
The lifetime argument defines how long the generated token is
valid. The lifetime is defined in seconds. If lifetime is not
set or it is set to 0, the token will never expire.
This feature is useful for environments which is configured to
use One Time Passwords (OTP) as part of the user/password
authentications and that authentication mechanism does not
implement any auth-token support.
What's your current workaround? I need to know when's a good time to ask for a new password passcode -I assume the password doesn't change. Could it be when you enter such Wi-Fi network?
Well, I don't have a good workaround to be honest. Also I don't have to be always on my work VPN, so if I need to access a specific internal service, I just connect manually with OpenVPN Connect, since I don't have any secret saved, it will prompt me for a password, then I'd use 1Password to fill in everything. After I'm done, I just put the device into sleep and let the connection timeout. OpenVPN won't try to reconnect since it does not have any secret saved.
It's not that much a hassle, specially using a password manager can be helpful. But then again, I'm not always on my work VPN.
For passepartout to be useful in this scenario, it should offer something like "one time connection" or "manual connect", where it asks for password, do not save it, and do not attempt reconnect.
Perhaps it's viable to omit credentials persistence for that specific VPN profile. IIRC iOS should then ask for credentials upon connection. Does it make sense making this a per profile flag? Something like "Ask credentials" in the Account screen.
Does it make sense making this a per profile flag? Something like "Ask credentials" in the Account screen.
I think a toggle in the Account screen would work just fine. This way if some user wants to add multiple profiles for different use cases can choose whether to save credential or not.
Hi.
For a physically separate OTP device I don’t see any solution other than prompting, as I can’t imagine the company would want to accommodate another method.
All my servers are set up to require TOTP. PAM and the TOTP PAM module are set up such that you can either append the TOTP to the password or respond to a second challenge. This is done to accommodate clients that don’t allow for a second factor programmatically.
For TOTP, from my point of view, having the server generate and provide the OTP defeats the point of having it.
I need more coffee, and my memory of setting this up is vague, particularly forOpenVPN. So don’t take me at my word yet, but ...
There is established open source code for generating standard TOTPs. If a user has access to their secret, adding a field where they can type / paste the secret, storing it in the keychain, and generating and appending the passcode to the base password might not be too difficult.
I say that without having looked at the Passepartout code, though. So there are a lot of assumptions.
I can’t imagine this is a much requested feature and therefore surely not a priority for David, but it is of interest to me. I’ll look at the Ppt code. Maybe I can help implement this. It depends how much work/time it would take.
Thanks for this great app!!
@tarasaint that is the best approach IMHO. The secret could be an optional field in "Account", under "Username" and "Password". Or even a toggle meaning that the password is actually a secret for generating OTPs. Cosmetics, straightforward either way.
After that, it's about integrating the OTP derivation algorithm into TunnelKit, and providing the library with a new field in OpenVPN.Configuration
(e.g. otpSecret: String?
). The standard password field would be left empty, whereas the real password would be generated on-the-fly from otpSecret
(if present) before connecting. This would be inside OpenVPNSession
.
As you pointed out, my backlog has been very dense recently and this is not among my priorities, but the process is quite clear in my mind. Let me know if you need further help to work together on this sooner or later.
Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!
Long time no see. Question: is your 2-factor device based on a known secret/algorithm?
Long time no see. Question: is your 2-factor device based on a known secret/algorithm?
Hi. Sorry for the long delay getting back to you. My 2fa is plain vanilla TOTP. rfc6238
The google implementation is Apache license, if that works for you. Google Authenticator (includes ios but not Androd). I'm guessing their code is a fairly solid way to go. The code is in C.
There is also FreeOTP iOS written in swift, but I haven´t looked closely to see if they take the TOTP and HOTP code generation from elsewhere. It is also Apache license.
The reason I link full apps is so you have a reference or even source for you how they implement reading and storing the QR /manual secret. Figured that is more helpful than just the algorithm.
When openvpn server is configured to use OTP via PAM (e.g in the combination with FreeIPA and SSSD), following configuration an be used to handle the 2FA prompt properly (allows to store the 1st secret in the keychain but to ask the 2nd factor in the prompt):
server side:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME First PASSWORD Second OTP"
auth-gen-token 43200
client side:
static-challenge "Enter 2FA token" 0
full configuration examples:
# openvpn server full configuation
port 443
proto tcp-server
dev tun0
tcp-nodelay
ca [inline]
cert [inline]
key [inline]
# https://community.openvpn.net/openvpn/wiki/Hardening
# from https://github.com/BetterCrypto/Applied-Crypto-Hardening/blob/2536a003e9cda7fee2b55be61b8c7e87086e41ad/src/configuration/VPNs/OpenVPN/client.conf#L116
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
cipher AES-256-CBC
auth SHA384
tls-version-min 1.2
tls-cert-profile preferred
remote-cert-tls client
server 192.168.80.0 255.255.254.0
comp-lzo
tls-server
opt-verify
tls-crypt [inline]
dh /etc/openvpn/dh1024.pem
float
# use PAM and avoid certs on the client side
verify-client-cert none
username-as-common-name
# with First and Second we are answering the according questions of pam_sss
# you can see them in the verb 7 log level of OpenVPN
# Client should have 'static-challenge "Enter 2FA token" 0' configured
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME First PASSWORD Second OTP"
auth-gen-token 43200 # 12 hours, use auth token for renegotiations to avoid broken UX with OTP requests every hour
status /var/log/openvpn.status
persist-key
persist-tun
keepalive 60 120
log /var/log/openvpn.log
verb 3
group openvpn
user openvpn
<tls-crypt>
**
</tls-crypt>
<ca>
**
</ca>
<cert>
**
</cert>
<key>
**
</key>
# openvpn client full configuration
remote vpn.example.com 443 tcp-client
nobind
dev tun
persist-tun
persist-key
compress lzo
pull
auth-user-pass
tls-client
ca [inline]
remote-cert-tls server
tls-crypt [inline]
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
auth SHA384
static-challenge "Enter 2FA token" 0 # !!! <----- required for 2FA
verify-x509-name vpn.example.com name
cipher AES-256-CBC
<tls-crypt>
**
</tls-crypt>
<ca>
**
</ca>
Just wanted to point out that asking for a password on each connection attempt would make the app useful for me, too! A VPN I rely on requires a TOTP appended to the password as the VPN password and an automatic prompt on each connect (or reconnect) would avoid the hassle of changing it in the the account settings each time!
@lstwn truth is, I started working on this last November, but life + job took over. Hopefully, I can pick this up soon again.
Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!
Question: do you really mean to authenticate with your password, first, and then a second time with the OTP?
Because I addressed the subject of this issue in #259 (see the video, password prompt is presented on each connect), but I tend to think that you're looking for true 2FA instead.
Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!
Question: do you really mean to authenticate with your password, first, and then a second time with the OTP?
Because I addressed the subject of this issue in #259 (see the video, password prompt is presented on each connect), but I tend to think that you're looking for true 2FA instead.
Personally, my VPN is setup on OPNsense via OpenVPN plugin. Every time I connect, I have to insert password+totp in the password field all at once. My TOTP is generated by Authy app (same as Google Authenticator)
TOTP is a different story in that it does not require interactive user input. I'd like to know if manual OTP requires password authentication to fail first.
I have an OpenVPN server that uses Duo 2FA. I can save my username and password in the official client, but when connecting and after it has sent the saved password, it will pop up a prompt asking me to enter my 2FA.
The thing with Duo is, I need to enter the word "push" in this prompt so I can get a push notification from Duo asking me to approve the login. So if implementing a popup is complex, would you be able to implement a feature to automatically answer 2FA requests with "push"? It's actually super annoying that I have to enter this manually in the official client every time I connect, given that it's just a fixed string.
I am voting for this issue. I also use Duo 2FA and I need to pass prompt when asked for MFA code for OpenVPN. This feature is controlled by static-challenge
configuration option
Great news to have 2FA integrated in 2.4.0
. I'm waiting for this since a long time :D
Any date for the 2.4.0
?
TOTP is a different story in that it does not require interactive user input. I'd like to know if manual OTP requires password authentication to fail first.
@keeshux as far I can see - not, this is usually done via static-challenge
flag or by adding the token to the password
This will be implemented in the next version (3.0.0). Closing!
The interactive auth implantation in 3.0 still doesn’t work for Duo 2FA. It seems this option merely asks the user to input a username/password before attempting to connect. However, no prompt is shown when the server requests me to enter the 2FA code, and more importantly, there’s no option to configure a fixed response to this (ideally it should automatically respond with “push”).
@cynix I opened #713 for this particular use case.
Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!