Hi everyone
I would like to create a Captcha Setup for the Community Version of OpenVPN with the following auth-flow:
1. Client Authenticate to the server with username/password
2. Server authenticate the user (for instance by calling another script)
3. Server decides whether the username needs to provide a captcha (lookup on a configuration file)
4. Server generates a question and sends this to the user, such as "1+1=?"
5. User solves the question and submit this to the server
6. The server validates the answer and let the user connect
I believe the dynamic challenge configuration goes into this direction.
Do you have any experience with that?
Best Regards
Mylos
Captcha as 2FA
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
- vnpenguin
- OpenVpn Newbie
- Posts: 14
- Joined: Sun Dec 06, 2015 7:12 am
- Location: Belgium
Re: Captcha as 2FA
How OpenVPN server can send this question "1+1=?" to user? by VPN client? by web site? by SMS?mylos.86 wrote: ↑Tue Feb 08, 2022 3:29 pmHi everyone
I would like to create a Captcha Setup for the Community Version of OpenVPN with the following auth-flow:
1. Client Authenticate to the server with username/password
2. Server authenticate the user (for instance by calling another script)
3. Server decides whether the username needs to provide a captcha (lookup on a configuration file)
4. Server generates a question and sends this to the user, such as "1+1=?"
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Captcha as 2FA
In fact, OpenVPN are working on a way to send such a challenge response but it is very complicated and still only in development.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Feb 08, 2022 3:26 pm
Re: Captcha as 2FA
I was thinking about the "Dynamic protocol" described here [1].
It seams there is the possibility to return an AUTH_FAILURE and ask for a further piece of information.
Maybe it would be possible to use this system to return the question "1+1=?" and expect the connecting client to return the information through the same channel used to provide username/password.
The problem here is that I cannot find a way to set the AUTH_FAILURE as required and return this string [2].
Through auth-user-pass-verify and client-connect I would not know how to reach it.
Would it eventually be possible by writing a plugin?
Is there anywhere a description of the information passed to a plugin and expected returns?
[1]
https://openvpn.net/community-resources ... interface/
[2]
CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN
It seams there is the possibility to return an AUTH_FAILURE and ask for a further piece of information.
Maybe it would be possible to use this system to return the question "1+1=?" and expect the connecting client to return the information through the same channel used to provide username/password.
The problem here is that I cannot find a way to set the AUTH_FAILURE as required and return this string [2].
Through auth-user-pass-verify and client-connect I would not know how to reach it.
Would it eventually be possible by writing a plugin?
Is there anywhere a description of the information passed to a plugin and expected returns?
[1]
https://openvpn.net/community-resources ... interface/
[2]
CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Feb 08, 2022 3:26 pm
Re: Captcha as 2FA
Through the usage of the management console on the OpenVPN server I'm able to allow or deny a client connection with the help of:
- client-auth CID KID
- client-deny CID KID R [CR]
How do I send a request for the client for a dynamic challenge?
My wish would be to prompt the client with a request asking to enter the given information.
Thanks!
- client-auth CID KID
- client-deny CID KID R [CR]
How do I send a request for the client for a dynamic challenge?
My wish would be to prompt the client with a request asking to enter the given information.
Thanks!
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 04, 2022 12:13 pm
Re: Captcha as 2FA
Could you use WEB_AUTH ?
That command will make the vpn client open webpage
you need a web server, but when that is up the sky is the limit on what challenges you present
That command will make the vpn client open webpage
you need a web server, but when that is up the sky is the limit on what challenges you present