OpenVPN Support Forum

Hello,

I am in the process of transitioning from passwordless to password-based authentication
using MFA. I have been able to successfully get everything done, but I would like to avoid
having to change everyone's client files and send them out again.

Is there anyway for openvpn server to let the client know that password authentication
is needed, so that the user-password dialog box is prompted on the client side, even if
"auth-user-pass" directive is missing the the client.ovpn file?

If not, I am just wondering why something like this was not included in the implementation,
during initial handshake. If the server needs password authentication, then let the client
know so it can display the dialog box. If not, needed it proceeds as usual. Why should there
be a dependency on the client side to have the "auth-user-pass" directive in it?

I would appreciate if someone knows about this and let me know.

Thanks,
--Harman

aviator wrote: ↑

Thu Feb 07, 2019 9:19 pm

Is there anyway for openvpn server to let the client know that password authentication
is needed, so that the user-password dialog box is prompted on the client side, even if
"auth-user-pass" directive is missing the the client.ovpn file?

As far as I am aware, the client config file must have --auth-user-pass in order to use a password.

https://community.openvpn.net/openvpn/w ... i-userpass

Thank you @TinCanTech - this just confirms what I had thought.

I was wondering if this would make for a good feature request. It seems to make perfect sense to me
for the server to tell the client upon initial contact whether or not the client needs to send userid and password?

This way the administrator does not have to update everyones ovpn client files, or tell them to edit
and add "auth-user-pass" directive. Seems like bigger organizations could definitely use it.

If there are other people who feel strongly about this - I will open up a feature request, if I can.

Thanks,
--Harman