OpenVPN TOTP Auth

README.md

Script to use TOTP tokens as passwords for OpenVPN auth

The user will be prompted for a username and password.

The username is the client username and the password is generated by their MFA app such as Authy or Google Authenticator.

OpenVPN server config

Add the following flags to your OpenVPN server config

script-security 2
auth-user-pass-verify /etc/openvpn/auth-otp.py via-file
username-as-common-name
auth-user-pass-optional # This is not required but it allows users without `auth-user-pass` in their client config to just use cert based auth

OpenVPN client config

Add the following flag to your OpenVPN client configs.

If you supplied auth-user-pass-optional in the server config, omitting the following flag from your client config will skip username/password auth.

auth-user-pass

Auth script

You need python3 and pyotp installed

pip3 install pyotp

#!/usr/bin/python3
import pyotp
import json
import sys
args = []
with open(sys.argv[1]) as f:
    args = f.readlines()
if len(args) == 0:
    print("No auth passed")
    sys.exit(0)
username = args[0].rstrip()
password = args[1].rstrip()
if username == "":
    sys.exit(0)
username = args[0]
password = args[1]
users = {}
with open('/etc/openvpn/users.json') as f:
  users = json.load(f)
if username in users:
    seed = users[username]
    totp = pyotp.TOTP(seed)
    if totp.verify(password):
        sys.exit(0)
    else:
        sys.exit(1)
else:
    print(f'User {username} not found')
    sys.exit(1)

JSON file containing usernames and TOTP seeds

{
    "mom": "3TIDFSZGDUNK3U6R",
    "dad": "LYHTI3TSZSQZTRPZ",
    "sister": "NPMQEPQ77ZVTSWGM",
    "brother": "OT72ZH4VJGFBNU2P",
    "other": "Y42QY2XR32IHEOWN"
}