Skip to content

durzo/openvpn-otp

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

src

src

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile.am

Makefile.am

 
 

README.md

README.md

 
 

autogen.sh

autogen.sh

 
 

configure.ac

configure.ac

 
 

Repository files navigation

OpenVPN OTP Authentication support

This plug-in adds support for OTP time based tokens for OpenVPN. Compatible with Google Authenticator software token or software/hardware based OTP tokens.

Compile and install openvpn-otp.so file to your OpenVPN plugins directory (usually /usr/lib/openvpn or /usr/lib64/openvpn/plugins).

To bootstrap autotools (generate configure and Makefiles):

./autogen.sh

Build and install with:

./configure --prefix=/usr
make install

The default install location (PREFIX/LIB/openvpn) can be changed by passing the directory with --with-openvpn-plugin-dir to ./configure:

./configure --with-openvpn-plugin-dir=/plugin/dir

Add the following lines to your server config:

# use otp passwords
plugin /usr/lib64/openvpn/plugins/openvpn-otp.so

Add the following lines to your clients' configs:

# use username/password authentication
auth-user-pass
# do not cache auth info
auth-nocache

OpenVPN will re-negotiate username/password details every 3600 seconds by default. To disable that behaviour add the following line to both client and server configs:

# disable username/password renegotiation
reneg-sec 0

At this moment the plugin does not support any configuration. You will have to recompile it if you want any changes to otp parameters. The secret file should be placed at /etc/ppp/otp-secrets. Default OTP parameters are:

Maximum allowed clock slop = 180
T0 value for TOTP (time drift) = 0
Step value for TOTP = 30
Number of digits to use from TOTP hash = 6
Step value for MOTP = 10

The otp-secrets file format is exactly the same as for ppp-otp plugin which makes it very convenient to have PPP and OpenVPN running on the same machine and using the same secrets file. The secrets file has the following layout:

# user server type:hash:encoding:key:pin:udid client
# where type is totp or motp
#       hash should be sha1 in most cases
#       encoding is base32 or text
#       key is your key in encoding format
#       pin is a 4 digit pin
#       udid is used in motp mode
#
# use sha1/base32 for Google Authenticator
bob otp totp:sha1:base32:K7BYLIU5D2V33X6S:1234:xxx *

# use text encoding for text based format
jane otp totp:sha1:text:1234567890:9876:xxx *

When users vpn in, they will need to provide their username and pin+current OTP number from the OTP token. Example for user bob:

username: bob
password: 1234920151

Inspired by ppp-otp plugin written by GitHub user kolbyjack This plugin written by Evgeny Gridasov (evgeny.gridasov@gmail.com)

About

OpenVPN OTP token support plugin

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 90.5%
  • C++ 9.2%
  • Shell 0.3%