is there a way to use the private Google Authenticator

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
wangqinghai
OpenVpn Newbie
Posts: 5
Joined: Sat Jun 05, 2021 10:30 am

is there a way to use the private Google Authenticator

Post by wangqinghai » Sat Jun 05, 2021 10:38 am

Hi everyone, Is there a way for The OpenVPN Access Server to use the private Google Authenticator or the AS Google Authenticator can be called on other systems?
Because we have multiple systems that need to use Google Authenticator
thanks very much!!!!

wangqinghai
OpenVpn Newbie
Posts: 5
Joined: Sat Jun 05, 2021 10:30 am

Re: is there a way to use the private Google Authenticator

Post by wangqinghai » Sun Jun 06, 2021 3:01 am

I found a way to use post-auth

But using the official test script, https://swupdate.openvpn.net/scripts/pascrs.py the test was not successful.
AUTH_NULL has been set to True, the login can still be successful, and there is no prompt to enter the year

Code: Select all

./sacli -k auth.module.post-auth_script --value_file=/usr/local/openvpn_as/scripts/pascrs.py ConfigPut

[True, {}]

./sacli start
RunStart warm None
{
  "errors": {},
  "last_restarted": "Sun Jun  6 10:44:44 2021",
  "service_status": {
    "api": "on",
    "auth": "on",
    "bridge": "on",
    "client_query": "on",
    "crl": "on",
    "daemon_pre": "on",
    "db_push": "on",
    "ip6tables_live": "on",
    "ip6tables_openvpn": "on",
    "iptables_live": "on",
    "iptables_openvpn": "on",
    "iptables_web": "on",
    "log": "on",
    "openvpn_0": "on",
    "openvpn_1": "on",
    "openvpn_2": "on",
    "openvpn_3": "on",
    "subscription": "on",
    "user": "on",
    "web": "on"
  }
}
Does any kind person tell me where I am wrong?

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: is there a way to use the private Google Authenticator

Post by chilinux » Sun Jun 06, 2021 8:58 am

You can have OpenVPN AS assign it's own Google Authenticator/TOTP passcodes by following this document:
https://openvpn.net/vpn-server-resource ... ntication/

Most TOTP apps such as Google Authenticator allow for enrolling multiple different TOTP passcodes. I recommend taking advantage of that to have different TOTP passcodes per system when possible.

Also, if you have allowed the users to generate auto-login certificates then the pascrs script will be skipped. Try revoking the user certificate to force them to download a new certificate and client profile.

wangqinghai
OpenVpn Newbie
Posts: 5
Joined: Sat Jun 05, 2021 10:30 am

Re: is there a way to use the private Google Authenticator

Post by wangqinghai » Mon Jun 07, 2021 2:12 pm

chilinux wrote:
Sun Jun 06, 2021 8:58 am
You can have OpenVPN AS assign it's own Google Authenticator/TOTP passcodes by following this document:
https://openvpn.net/vpn-server-resource ... ntication/

Most TOTP apps such as Google Authenticator allow for enrolling multiple different TOTP passcodes. I recommend taking advantage of that to have different TOTP passcodes per system when possible.

Also, if you have allowed the users to generate auto-login certificates then the pascrs script will be skipped. Try revoking the user certificate to force them to download a new certificate and client profile.
Thanks for replying, my problem has been solved

Post Reply