I currently have an OpenVPN configuration on my VyOS router (config below). It’s using certificate-based authentication, which I insist on continuing to use. I’d like to enable 2FA (two-factor authentication) using TOTP (time-based one time password algorithm), such as Google Authenticator (but not limited to GA—any app that supports the TOTP standard would work). I recently enabled TOTP 2FA for certain SSH-accessible servers not protected by my VPN, and it works great.
I found a tutorial for 2FA with OpenVPN (Enable Multi-Factor Authentication for OpenVPN | The Joe Paetzel Method), but it’s a standalone install, not within VyOS. So, my questions:
[list]
[]Is there any built-in support for using OpenVPN’s 2FA features?
[]If there is no built-in support and I install software (some of which I may need to compile on the VyOS machine) to support it, how is my install and config going to be affected by reboots and upgrades?
[*]Are there any other recommendations and/or guidelines I should follow?
[/list]
interfaces {
bridge br0 {
address 172.16.122.1/24
aging 300
hello-time 2
max-age 20
priority 0
stp false
}
ethernet eth0 {
*** public facing interface omitted for security reasons ***
}
ethernet eth1 {
bridge-group {
bridge br0
}
duplex auto
hw-id 00:14:d1:20:0d:e8
smp_affinity auto
speed auto
}
ethernet eth2 {
address 192.168.122.254/24
duplex auto
hw-id 00:14:d1:20:0c:6c
smp_affinity auto
speed auto
}
openvpn vtun0 {
bridge-group {
bridge br0
}
mode server
openvpn-option "--comp-lzo --push route-delay 10 --push route 192.168.122.0 255.255.255.0 172.16.122.1 --push dhcp-option DOMAIN nickhq.com"
server {
name-server 172.16.122.1
subnet 172.16.122.0/24
topology subnet
}
tls {
ca-cert-file /config/auth/openvpn/keys/ca.crt
cert-file /config/auth/openvpn/keys/server.crt
dh-file /config/auth/openvpn/keys/dh1024.pem
key-file /config/auth/openvpn/keys/server.key
}
}
}