starred/openvpn-otp
1
0
Fork 0
mirror of https://github.com/evgeny-gridasov/openvpn-otp.git synced 2026-04-25 05:15:57 +03:00
Code Issues 19 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #13] Bind OTP to a certificate and/or a keys for a specific client #7

New issue
Open
opened 2026-02-25 22:30:44 +03:00 by kerem · 4 comments
kerem commented 2026-02-25 22:30:44 +03:00
Owner
Copy link

Originally created by @devng on GitHub (Apr 24, 2016).
Original GitHub issue: https://github.com/evgeny-gridasov/openvpn-otp/issues/13

So I am a no expert on OpenVPN I just followed this nice tutorial to set my VPN https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 and then added OTP support via your plugin. Everything works great. However, I have notice one issue. I would like to use an OTP only on a certain key or certificate for a given client, currently the configuration in otp-secrets is kind of global and can unlock every key and certificate for a given client. Here is an example of what i mean:

Lets say we want to have 2 users on our VPN called of course Alice and Bob. So we generate a certificate for each of them and we distribute alice.crt and alice.key to Alice and give bob.crt and bob.key to Bob. Then we crate an OTP entry for Bob and Alice in otp-secrets and they can login with their TOTPs using Google Authenticator. Great. However, if for some reason Alice gets a hold of bob.crt and bob.key she can still use her TOTP and not Bob's one to authenticate. So IMHO this is an issue and the TOTP secret in the otp-secrets file should only be bound to a certificate and a key. Or at least we should be able to specify for which user in the otp-secrets which certificates are available.

Originally created by @devng on GitHub (Apr 24, 2016). Original GitHub issue: https://github.com/evgeny-gridasov/openvpn-otp/issues/13 So I am a no expert on OpenVPN I just followed this nice tutorial to set my VPN https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 and then added OTP support via your plugin. Everything works great. However, I have notice one issue. I would like to use an OTP only on a certain key or certificate for a given client, currently the configuration in otp-secrets is kind of global and can unlock every key and certificate for a given client. Here is an example of what i mean: Lets say we want to have 2 users on our VPN called of course Alice and Bob. So we generate a certificate for each of them and we distribute alice.crt and alice.key to Alice and give bob.crt and bob.key to Bob. Then we crate an OTP entry for Bob and Alice in otp-secrets and they can login with their TOTPs using Google Authenticator. Great. However, if for some reason Alice gets a hold of bob.crt and bob.key she can still use her TOTP and not Bob's one to authenticate. So IMHO this is an issue and the TOTP secret in the otp-secrets file should only be bound to a certificate and a key. Or at least we should be able to specify for which user in the otp-secrets which certificates are available.
kerem commented 2026-02-25 22:30:44 +03:00
Author
Owner
Copy link

@devng commented on GitHub (Apr 26, 2016):

I found a workaround by using this approach described here https://serverfault.com/questions/358855/how-to-prevent-users-from-sharing-certificates-in-openvpn, thus I give users a certificate with a common name as their username. This limits the users to have only one certificate, which is fine for me, but i think it will be nice if this plugin supports it out of the box.

<!-- gh-comment-id:214805552 --> @devng commented on GitHub (Apr 26, 2016): I found a workaround by using this approach described here https://serverfault.com/questions/358855/how-to-prevent-users-from-sharing-certificates-in-openvpn, thus I give users a certificate with a common name as their username. This limits the users to have only one certificate, which is fine for me, but i think it will be nice if this plugin supports it out of the box.
kerem commented 2026-02-25 22:30:44 +03:00
Author
Owner
Copy link

@stefjakobs commented on GitHub (Apr 20, 2017):

+1 (and thanks for sharing the workaround)

<!-- gh-comment-id:295914742 --> @stefjakobs commented on GitHub (Apr 20, 2017): +1 (and thanks for sharing the workaround)
kerem commented 2026-02-25 22:30:44 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Apr 21, 2017):

I'll have some time next week and will see what I can do about this one.

<!-- gh-comment-id:295994629 --> @evgeny-gridasov commented on GitHub (Apr 21, 2017): I'll have some time next week and will see what I can do about this one.
kerem commented 2026-02-25 22:30:44 +03:00
Author
Owner
Copy link

@evgeny-gridasov commented on GitHub (Sep 7, 2017):

devng, Do you want to document this and include in readme.md? I'll accept a pull request from you.

<!-- gh-comment-id:327663823 --> @evgeny-gridasov commented on GitHub (Sep 7, 2017): devng, Do you want to document this and include in readme.md? I'll accept a pull request from you.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/openvpn-otp#7
No description provided.