Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN proposal

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 35 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      ivica.glavocic
      last edited by

      Using VPN access without 2FA is insecure, most users save their user and password saved on computers, if that leaks (everything is on one place, including client certificate), we have scenario for a disaster.

      2FA is obligatory by law in EU (GDPR, NIS2).

      From what I can see, OpenVPN with proper 2FA is not working in user friendly way using official documentation https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa

      User can't authenticate from OpenVPN Connect when using a saved user/pass (PIN) plus OTP prompt (static-challenge "Enter OTP" 1), because the client sends PIN + OTP and freeradius server expects OTP + PIN.

      In my opinion, those problems should be fixed because:

      • PIN (4-8 numbers) instead of password is not secure enough.
      • Radius server expects OTP + PIN, clients send PIN + OTP, connection cannot be made.
      • Only way to connect is without static-challenge when user enters PIN + OTP, not user friendly.

      The other product (we won't say which one) has a good solution that works - native Google TOTP access server and OTP seed in User Manager, that's practically the only thing I have seen that is better. But, OpenVPN implementation on pfSense could be a deal breaker and turn people to choose that other product.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @ivica.glavocic
        last edited by

        @ivica.glavocic said in OpenVPN proposal:

        User can't authenticate from OpenVPN Connect when using a saved user/pass (PIN) plus OTP prompt (static-challenge "Enter OTP" 1), because the client sends PIN + OTP and freeradius server expects OTP + PIN.

        I use OpenVPN GUI on Windows. It sends OTP + PW to the server in this order.
        The password can be saved, so you have only to enter the OTP.

        If you use the Network Manager on Linux, which has no OTP option, I have to state the OTP + password in the PW field.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.