Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. VPN
  3. 2FA in OpenVPN App

2FA in OpenVPN App

Scheduled Pinned Locked Moved VPN
11 Posts 4 Posters 1.6k Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      S Offline
      sayedanowar9
      wrote on last edited by
      #1

      I have enabled Two Factor Authentication for a user but when I am logging in to OpenVPN app, system is asking only username & Password, no 2FA code required.

      Can we enable it for additional security?

      1 Reply Last reply
      2
      • nebulonN Offline
        nebulonN Offline
        nebulon
        Staff
        wrote on last edited by
        #2

        Indeed the app does not support 2fa yet, but since the frontend at least is developed by us at https://git.cloudron.io/cloudron/openvpn-app we can add this.

        girishG S 2 Replies Last reply
        0
        • nebulonN nebulon

          Indeed the app does not support 2fa yet, but since the frontend at least is developed by us at https://git.cloudron.io/cloudron/openvpn-app we can add this.

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #3

          @nebulon I think maybe @sayedanowar9 wants the 2FA on the OpenVPN connection and not the front end. It looks like OpenVPN supports it, but it's not easy to figure out how...

          1 Reply Last reply
          0
          • nebulonN nebulon

            Indeed the app does not support 2fa yet, but since the frontend at least is developed by us at https://git.cloudron.io/cloudron/openvpn-app we can add this.

            S Offline
            S Offline
            sayedanowar9
            wrote on last edited by
            #4

            @nebulon I wanted to enable 2FA in frontend itself. Clients are connecting using certificates, so I believe those are pretty secure.

            girishG 1 Reply Last reply
            0
            • S sayedanowar9

              @nebulon I wanted to enable 2FA in frontend itself. Clients are connecting using certificates, so I believe those are pretty secure.

              girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #5

              @sayedanowar9 One issue with just using the certs is that if a cert is misplaced (it's just a file after all) or got stolen (with all these npm/gems/pip post installation scripts anything can happen!), then one can connect to the VPN.

              This is why most of the corporate VPNs have a passphrase or OTP to go along with the certificate. I have been meaning to implement this in the app for a while...

              S 1 Reply Last reply
              0
              • girishG girish

                @sayedanowar9 One issue with just using the certs is that if a cert is misplaced (it's just a file after all) or got stolen (with all these npm/gems/pip post installation scripts anything can happen!), then one can connect to the VPN.

                This is why most of the corporate VPNs have a passphrase or OTP to go along with the certificate. I have been meaning to implement this in the app for a while...

                S Offline
                S Offline
                sayedanowar9
                wrote on last edited by
                #6

                @girish Yes true, 2FA in OpenVPN connect is good to have. Importantly we need 2FA in FrontEnd is necessary as that one secured by password very likely user will reuse same password in all places or can provide very weak password.

                So for now if you could enable 2FA in frontend that would be very helpful.

                1 Reply Last reply
                1
                • S Offline
                  S Offline
                  sparkwise
                  wrote on last edited by
                  #7

                  @girish Wanted to check back in on this thread. Is there a way to configure and require 2FA in order to connect a client to the OpenVPN server? I found a series of blog posts (starting with https://openvpn.net/blog/multi-factor-authentication-with-openvpn-community-edition/) that uses oathtool to do this, and curious to learn if those instructions would work on Cloudron as-is or if something more is required first.

                  1 Reply Last reply
                  1
                  • S Offline
                    S Offline
                    sparkwise
                    wrote on last edited by
                    #8

                    Ideally, using the currently-supported .ovpn (or .tblk) profile + MFA (rather than username/password + MFA).

                    1 Reply Last reply
                    1
                    • S Offline
                      S Offline
                      sparkwise
                      wrote on last edited by
                      #9

                      It seems like the libpam-google-authenticator package would need to be included in the app build. Works with any time-based one-time password tools.

                      1 Reply Last reply
                      1
                      • girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by
                        #10

                        @sparkwise 2FA on the frontend is already there. I assume you mean 2FA for the VPN connection ?

                        S 1 Reply Last reply
                        0
                        • girishG girish

                          @sparkwise 2FA on the frontend is already there. I assume you mean 2FA for the VPN connection ?

                          S Offline
                          S Offline
                          sparkwise
                          wrote on last edited by
                          #11

                          @girish I believe so. We were using the "OpenVPN Connect" Mac app on the front-end, which supports this. My understanding is that the Cloudron build of the OpenVPN server would need to be built with the libpam-google-authenticator package, in order to enable a user to enable it from the app-specific terminal (and to configure the server app to require it.)

                          I ended up going a different route (switching to AWS Client VPN) so this is no longer pressing for us, but I do think it would enable a nice security enhancement.

                          1 Reply Last reply
                          1
                          Reply
                          • Reply as topic
                          Log in to reply
                          • Oldest to Newest
                          • Newest to Oldest
                          • Most Votes


                            • Login

                            • Don't have an account? Register

                            • Login or register to search.
                            • First post
                              Last post
                            0
                            • Categories
                            • Recent
                            • Tags
                            • Popular
                            • Bookmarks
                            • Search