Captcha as 2FA

How to customize and extend your OpenVPN installation.
Post Reply
mylos.86
OpenVpn Newbie
Posts: 3
Joined: Tue Feb 08, 2022 3:26 pm

Captcha as 2FA

Post by mylos.86 » Tue Feb 08, 2022 3:29 pm

Hi everyone

I would like to create a Captcha Setup for the Community Version of OpenVPN with the following auth-flow:
1. Client Authenticate to the server with username/password
2. Server authenticate the user (for instance by calling another script)
3. Server decides whether the username needs to provide a captcha (lookup on a configuration file)
4. Server generates a question and sends this to the user, such as "1+1=?"
5. User solves the question and submit this to the server
6. The server validates the answer and let the user connect

I believe the dynamic challenge configuration goes into this direction.
Do you have any experience with that?

Best Regards
Mylos

User avatar
vnpenguin
OpenVpn Newbie
Posts: 12
Joined: Sun Dec 06, 2015 7:12 am
Location: Belgium

Re: Captcha as 2FA

Post by vnpenguin » Thu Feb 10, 2022 12:39 pm

mylos.86 wrote:
Tue Feb 08, 2022 3:29 pm
Hi everyone

I would like to create a Captcha Setup for the Community Version of OpenVPN with the following auth-flow:
1. Client Authenticate to the server with username/password
2. Server authenticate the user (for instance by calling another script)
3. Server decides whether the username needs to provide a captcha (lookup on a configuration file)
4. Server generates a question and sends this to the user, such as "1+1=?"
How OpenVPN server can send this question "1+1=?" to user? by VPN client? by web site? by SMS?

User avatar
TinCanTech
Forum Team
Posts: 10821
Joined: Fri Jun 03, 2016 1:17 pm

Re: Captcha as 2FA

Post by TinCanTech » Thu Feb 10, 2022 2:47 pm

In fact, OpenVPN are working on a way to send such a challenge response but it is very complicated and still only in development.

mylos.86
OpenVpn Newbie
Posts: 3
Joined: Tue Feb 08, 2022 3:26 pm

Re: Captcha as 2FA

Post by mylos.86 » Thu Feb 10, 2022 3:58 pm

I was thinking about the "Dynamic protocol" described here [1].
It seams there is the possibility to return an AUTH_FAILURE and ask for a further piece of information.
Maybe it would be possible to use this system to return the question "1+1=?" and expect the connecting client to return the information through the same channel used to provide username/password.
The problem here is that I cannot find a way to set the AUTH_FAILURE as required and return this string [2].
Through auth-user-pass-verify and client-connect I would not know how to reach it.
Would it eventually be possible by writing a plugin?
Is there anywhere a description of the information passed to a plugin and expected returns?


[1]
https://openvpn.net/community-resources ... interface/

[2]
CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN

mylos.86
OpenVpn Newbie
Posts: 3
Joined: Tue Feb 08, 2022 3:26 pm

Re: Captcha as 2FA

Post by mylos.86 » Tue May 24, 2022 9:30 am

Through the usage of the management console on the OpenVPN server I'm able to allow or deny a client connection with the help of:
- client-auth CID KID
- client-deny CID KID R [CR]

How do I send a request for the client for a dynamic challenge?
My wish would be to prompt the client with a request asking to enter the given information.

Thanks!

Post Reply