OpenVPN Support Forum

It's 2015—security has never been more paramount in the simplest or most important organizational or business dealings. From GitHub to Google logins to Facebook and Twitter to SSH, essentially everyone/everything supports two-factor authentication these days, most places strongly encourage it, most businesses strictly require it, and many websites strictly require it. I have 2FA enabled for GitHub, Google, DigitalOcean, Okta, SSH on my servers, and my company's enterprise OpenVPN installation. I'm trying to get it to work for my personal, free OpenVPN installation.

There are plenty of tutorials out there that show you how to hack support for 2FA into OpenVPN using the Google Authenticator PAM module—it works, kinda, sometimes, in an ugly way (the user has to enter a "username" and a "password" (TOTP token)). But someone (I don't know who) at some point decided that first-class support for 2FA should be limited to enterprise users of OpenVPN Access Server.

That's unfortunate. The OSS community has always excelled at and driven security initiatives, so it makes little since that two decades after it was introduced, a decade after it became common, and 5 years after it became mainstream, 2FA is limited to the non-free edition of an OSS product.

Please, can we get first-class support for 2FA (even if it's just free/open standards like TOTP (Google Auth, etc.), which is what most sites/organizations prefer anyway) in the free-for-everyone OpenVPN server software?

beamerblvd wrote:on my servers, and my company's enterprise OpenVPN installation. I'm trying to get it to work for my personal, free OpenVPN installation.

Did you care to make a donation ?
or do you just want it all for nothing ?

https://community.openvpn.net/openvpn/wiki/Contributing

--
Will write code for FOOD...

Well that was an unnecessarily rude response. Please understand:

1) In case there was any misunderstanding, I listed things that currently have 2FA enabled, including my (yes my) personal servers (some of which run an open source community that I fund with my own money ... *gasp*) and my employer's enterprise OpenVPN installation. I didn't mean to imply that I run a company that has an enterprise OpenVPN installation. I don't. I don't run a company at all. My employer has an enterprise OpenVPN installation. These are all things that 2FA is already working on. I'm simply suggesting that those of us (not just myself) who have non-enterprise OpenVPN installations (for personal reasons or otherwise) could use first-class 2FA support.

2) I certainly don't have the money to donate; not right now. I do contribute a good deal to the OSS community. In addition to hosting a number of OSS projects on my own servers using my own internet connection that I pay for, I contribute my coding skills to the ASF, Hibernate, Spring Framework, Jackson Mapper, and a number of other OSS projects. But I shouldn't have to justify myself to you. Please don't insinuate that I'm a selfish SOB that expects all this OSS to be handed to him on a silver platter. You don't know me. That's rude and BS. Furthermore, the OpenVPN devs don't want to see C/C++ patches from me. They'd spend more time telling me what to fix than they would writing it themselves, no doubt. I'm good with Java, C#, Python, PHP, HTML, JavaScript, SQL, and a few other minor things; I'm really good at server administration; I suck at C/C++. Besides, OSS is more about Karma than "if you expect to get something out of X project you have to contribute to the same X project."

3) The company that provides the big bucks to support OpenVPN development (read: OpenVPN Technologies, Inc.) already has code somewhere that provides first-class support to 2FA. It would be nonsensical for someone to re-write that. More than anything, I'm suggesting they share it with the OSS community so that the free OpenVPN users can have a mainstream feature.

Can you use radius authentication for your OpenVPN setup? Google Authenticator is supposed to integrate nicely with Free Radius. If your Radius is Windows based then use something like Symantec's VIP.

yes, sounds good!