openvpn-2fa: Import a prototype of an authenticator

This script runs aside of OpenVPN and connects to the management socket. On the socket, OpenVPN will post any new clients trying to authenticate which will be handled by the authenticator. If a client has 2FA enabled, it will be challanged for the current token which will then be checked in a second pass. Clients which do not have 2FA enabled will just be authenticated no matter what and tls-verify will have handled the rest. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-27 11:13:24 +02:00 · 2022-05-04 14:46:41 +01:00
parent c63a54f090
commit 339b84d509
4 changed files with 391 additions and 0 deletions
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -457,6 +457,15 @@ void setFirewallRules(void) {
 	}
 }

+static void stopAuthenticator() {
+	const char* argv[] = {
+		"/usr/sbin/openvpn-authenticator",
+		NULL,
+	};
+
+	run("/sbin/killall", argv);
+}
+
 void stopDaemon(void) {
 	char command[STRING_SIZE];

@@ -470,6 +479,15 @@ void stopDaemon(void) {

 	snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid");
 	executeCommand(command);
+
+	// Stop OpenVPN authenticator
+	stopAuthenticator();
+}
+
+static int startAuthenticator(void) {
+	const char* argv[] = { "-d", NULL };
+
+	return run("/usr/sbin/openvpn-authenticator", argv);
 }

 void startDaemon(void) {
@@ -487,6 +505,9 @@ void startDaemon(void) {
 		executeCommand(command);
 		snprintf(command, STRING_SIZE-1, "/bin/chmod 644 /var/run/ovpnserver.log");
 		executeCommand(command);
+
+		// Start OpenVPN Authenticator
+		startAuthenticator();
 	}
 }