Comments (8)
moritori
commented on June 7, 2024
1
@selvanair: thanks for your detailed explanation. I got it working now with "client-pending-auth" and a cr_text challenge and can confirm that it is working as expected without username and password.
from openvpn.
cron2
commented on June 7, 2024
Hi,
On Fri, Dec 30, 2022 at 08:05:16AM -0800, moritori wrote:
add the following to your configuration:
`
<auth-user-pass>
username
password
</auth-user-pass>
`
This is supported in the upcoming OpenVPN 2.6.0 (to be released in the
next 4 weeks), but will not be backported to 2.5.x
commit 7d48d31
Author: Antonio Quartulli ***@***.***>
Date: Sat Sep 17 15:48:32 2022 +0200
auth-user-pass: add support for inline credentials
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ***@***.***
from openvpn.
moritori
commented on June 7, 2024
That is fantastic news. Thank you! What about (2)?
from openvpn.
cron2
commented on June 7, 2024
Hi,
On Fri, Dec 30, 2022 at 08:05:16AM -0800, moritori wrote:
(2) Additionally it would be great, if static-challenge would use an empty username and an empty password if auth-user-pass is not configured while static-challenge is.
Sorry I overlooked this question. Not sure about this one, I am not
using static-challenge myself (for the corp VPN where we use 2FA, we
put our 2FA numbers into the password).
@selvanair might have insights.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ***@***.***
from openvpn.
moritori
commented on June 7, 2024
No worries and thanks for your effort.
That would also work for our case, however we don't want to have the need to enter the username but have it derived from the certificate as is the default behavior.
from openvpn.
selvanair
commented on June 7, 2024
Static challenge is intimately coupled with auth-user-pass and cannot be used without it. Also embedding username/password with static-challenge enabled will work only for users who run from command line (and possibly via systemd). When using a UI that talks to the management interface (like Windows OpenVPN-GUI), the challenge will not get queried if user/pass are embedded or read from a file.
For your use case, it may be better to send a CR_TEXT challenge form the server using client-pending-auth via management interface. For details see: https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt It will require some re-thinking of how server-side verification is implemented.
from openvpn.
schwabe
commented on June 7, 2024
Yes. As @selvanair explains it is very unlikely that we improve the old 2FA methods since we now have the much more flexible pending auth/crtext method.
from openvpn.
schwabe
commented on June 7, 2024
Closing the issue since the features are already implemented.
from openvpn.
Related Issues (20)
- OpenVPN with mbed TLS: no warning for unsupported LZO compression — successfully connects without warning but not operable HOT 8
- DNS for remote server not refreshed after power hibernation and restoring HOT 3
- --preresolve is not documented HOT 1
- Installation package download problem HOT 2
- key_state_gen_auth_control_files has subtle logic mistake HOT 2
- The OpenVPN process exits unexpectedly when using the DCO kernel module HOT 15
- tapctl.exe creates an adapter, but fails to rename it HOT 5
- Problems when reconnecting OpenVPN HOT 1
- I'm getting a certificate error when I use OpenVPN to access a website with HSTS turned on.
- The openvpn client suddenly disconnects HOT 3
- VPN stop working HOT 4
- Debian / Ubuntu: OpenVPN apt repositories HOT 2
- Unfair treatment for "Stub" Compression push? HOT 4
- connect error on kali linux HOT 9
- The visited host is unable to obtain the client IP of OpenVPN, only the IP of the OpenVPN server will be obtained HOT 1
- Cannot connect more than one client from behind a NAT firewall HOT 12
- openvpn tls handshake error in some isp like mci HOT 1
- Can openvpn’s open ports handle the following attacks? HOT 5
- Continuously sending DNS (queries/responses) HOT 4
- Name resolution not refreshed after "power hibernate-restore" on OpenVPN client PCs HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn.