google authenticator support

[cemo]

I have seen some docker openvpn images which are supporting google authenticator too. Would you consider to support it?

[pieterlange]

Added in https://github.com/pieterlange/kube-openvpn/releases/tag/0.2.4 but not very well documented / tested.

There's also some nasty issues with regards to renegotiation of session keys which requires the user to input new OTP tokens every $interval. (1 hour default i believe) Increasing the interval opens up new types of attacks. There's some new solutions but they require more client config.

But this is for sure on the roadmap to be a fully supported feature. :+1:

[cemo]

I would like to give a try. Is there some references to warm up?

[pieterlange]

A lot of the code here is based on or even blatantly copied from https://github.com/kylemanna/docker-openvpn with some tweaks to run openvpn as a stateless service, so you can look for more docs there.

https://github.com/kylemanna/docker-openvpn/blob/master/docs/otp.md

Basically, add the following to your openvpn.tmpl

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
reneg-sec 0

and this to your client .ovpn files:

auth-user-pass
auth-nocache
reneg-sec 0

Note this disables the aforementioned key renegotiation.

Mount the tokens generated by ovpn_otp_user under /etc/openvpn/otp and you should be up and running with OTP. This is quite experimental at this point but should Just Work, minus some user friendliness. Let me know if this works out.

[pieterlange]

Sort of addressed in 65b84921ce54b14e88eb802e7b4407ff8b9e34c1 - you don't need to adjust any server settings anymore (just mount the OTP seeds).

As for a roadmap: i don't plan on fully supporting this feature until openvpn 2.4 gets released in alpine stable with support for --gen-auth-token, enabling proper session renegotiation. If i have any spare time (..) i might play around with it in edge but i'll also consider PR's of course.

[pieterlange]

@cemo did you get anywhere with this? feel free to ping me on slack.

[cemo]

Hi @pieterlange, first of all thanks for the repo again. We are using it in production and no issue so far. I ended up completely giving up completely. In my roadmap I will give a try for duo.com which is more suitable for our needs.