OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

is there a way to use the private Google Authenticator

https://forums.openvpn.net/viewtopic.php?t=32424

Page 1 of 1

is there a way to use the private Google Authenticator

Posted: Sat Jun 05, 2021 10:38 am
by wangqinghai
Hi everyone, Is there a way for The OpenVPN Access Server to use the private Google Authenticator or the AS Google Authenticator can be called on other systems?
Because we have multiple systems that need to use Google Authenticator
thanks very much!!!!

Re: is there a way to use the private Google Authenticator

Posted: Sun Jun 06, 2021 3:01 am
by wangqinghai
I found a way to use post-auth

But using the official test script, https://swupdate.openvpn.net/scripts/pascrs.py the test was not successful.
AUTH_NULL has been set to True, the login can still be successful, and there is no prompt to enter the year

Code: Select all

./sacli -k auth.module.post-auth_script --value_file=/usr/local/openvpn_as/scripts/pascrs.py ConfigPut

[True, {}]

./sacli start
RunStart warm None
{
  "errors": {},
  "last_restarted": "Sun Jun  6 10:44:44 2021",
  "service_status": {
    "api": "on",
    "auth": "on",
    "bridge": "on",
    "client_query": "on",
    "crl": "on",
    "daemon_pre": "on",
    "db_push": "on",
    "ip6tables_live": "on",
    "ip6tables_openvpn": "on",
    "iptables_live": "on",
    "iptables_openvpn": "on",
    "iptables_web": "on",
    "log": "on",
    "openvpn_0": "on",
    "openvpn_1": "on",
    "openvpn_2": "on",
    "openvpn_3": "on",
    "subscription": "on",
    "user": "on",
    "web": "on"
  }
}
Does any kind person tell me where I am wrong?

Re: is there a way to use the private Google Authenticator

Posted: Sun Jun 06, 2021 8:58 am
by chilinux
You can have OpenVPN AS assign it's own Google Authenticator/TOTP passcodes by following this document:
https://openvpn.net/vpn-server-resource ... ntication/

Most TOTP apps such as Google Authenticator allow for enrolling multiple different TOTP passcodes. I recommend taking advantage of that to have different TOTP passcodes per system when possible.

Also, if you have allowed the users to generate auto-login certificates then the pascrs script will be skipped. Try revoking the user certificate to force them to download a new certificate and client profile.

Re: is there a way to use the private Google Authenticator

Posted: Mon Jun 07, 2021 2:12 pm
by wangqinghai
chilinux wrote:
Sun Jun 06, 2021 8:58 am
 You can have OpenVPN AS assign it's own Google Authenticator/TOTP passcodes by following this document:
https://openvpn.net/vpn-server-resource ... ntication/

Most TOTP apps such as Google Authenticator allow for enrolling multiple different TOTP passcodes. I recommend taking advantage of that to have different TOTP passcodes per system when possible.

Also, if you have allowed the users to generate auto-login certificates then the pascrs script will be skipped. Try revoking the user certificate to force them to download a new certificate and client profile.
Thanks for replying, my problem has been solved
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/