OpenVPN: Add support for 2FA / One-Time Password

Add two-factor authentication (2FA) to OpenVPN host connections with one-time passwords. The 2FA can be enabled or disabled per host connection and requires the client to download it's configuration again after 2FA has beend enabled for it. Additionally the client needs to configure an TOTP application, like "Google Authenticator" which then provides the second factor. To faciliate this every connection with enabled 2FA gets an "show qrcode" button after the "show file" button in the host connection list to show the 2FA secret and an 2FA configuration QRCode. When 2FA is enabled, the client needs to provide the second factor plus the private key password (if set) to successfully authorize. This only supports time based one-time passwords, TOTP with 30s window and 6 digits, for now but we may update this in the future. Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
2026-04-27 19:23:24 +02:00 · 2022-04-08 10:50:20 +02:00
parent dc124917e3
commit e1e10515ec
9 changed files with 255 additions and 6 deletions
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -979,6 +979,7 @@
 'empty profile' => 'Unbenannt',
 'enable ignore filter' => '&quot;Ignorieren&quot;-Filter ein',
 'enable javascript' => 'Javascript aktivieren',
+'enable otp' => 'Aktiviere OTP',
 'enable smt' => 'Simultaneous Multi-Threading (SMT) einschalten',
 'enable wildcards' => 'Wildcards erlauben:',
 'enabled' => 'Aktiviert:',
@@ -1903,6 +1904,7 @@
 'other login script' => 'Anderes Anmeldeskript',
 'otherip' => 'Andere IP',
 'otherport' => 'Anderer Port',
+'otp qrcode' => 'OTP QRCode',
 'our donors' => 'Unsere Unterstützer',
 'out' => 'Aus',
 'outgoing' => 'ausgehend',
@@ -2201,6 +2203,7 @@
 'secondary ntp server' => 'Sekundärer NTP-Server',
 'secondary wins server address' => 'Sekundärer WINS-Server',
 'seconds' => 'Sek.',
+'secret' => 'Geheimnis',
 'section' => 'Abschnitt',
 'secure shell server' => 'Secure Shell Server',
 'security' => 'Sicherheit',
@@ -2244,6 +2247,7 @@
 'show last x lines' => 'die letzten x Zeilen anzeigen',
 'show root certificate' => 'Root-Zertifikat anzeigen',
 'show share options' => 'Anzeige der Freigabeeinstellungen',
+'show otp qrcode' => 'Zeige OTP QRCode',
 'shuffle' => 'Zufall',
 'shutdown' => 'Herunterfahren',
 'shutdown ask' => 'Herunterfahren?',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1018,6 +1018,7 @@
 'empty' => 'This field may be left blank',
 'empty profile' => 'empty',
 'enable' => 'Enable',
+'enable otp' => 'Enable OTP',
 'enable ignore filter' => 'Enable ignore filter',
 'enable javascript' => 'Enable javascript',
 'enable smt' => 'Enable Simultaneous Multi-Threading (SMT)',
@@ -1955,6 +1956,7 @@
 'other login script' => 'Other login script',
 'otherip' => 'other IP',
 'otherport' => 'other Port',
+'otp qrcode' => 'OTP QRCode',
 'our donors' => 'Our donors',
 'out' => 'Out',
 'outgoing' => 'outgoing',
@@ -2253,6 +2255,7 @@
 'secondary ntp server' => 'Secondary NTP server',
 'secondary wins server address' => 'Secondary WINS server address',
 'seconds' => 'Secs',
+'secret' => 'Secret',
 'section' => 'Section',
 'secure shell server' => 'Secure Shell Server',
 'security' => 'Security',
@@ -2297,6 +2300,7 @@
 'show host certificate' => 'Show host certificate',
 'show last x lines' => 'Show last x lines',
 'show lines' => 'Show lines',
+'show otp qrcode' => 'Show OTP QRCode',
 'show root certificate' => 'Show root certificate',
 'show share options' => 'Show shares options',
 'show tls-auth key' => 'Show tls-auth key',