On Mon, 2015-10-05 at 22:22 +0200, Olivier Mascia wrote: > Dear all, > > Have you heard of any support (add-on?) for time based one time > passwords support in OpenVPN? Along the lines of RFC6238 so it could > be used with Google Authenticator, Microsoft Authenticator, and the > countless alike mobile Apps. Would be interesting to get users to > use their credentials plus a TOTP when connecting to remote access > OpenVPN setups. In addition (or not) of certificates. > > On the same train, I'd really like our admins to have to use a TOTP > in addition to login/password when connecting to pfSense for > administration. > OVPN can use RADIUS. So now you need to research wiring TOTP up to RADIUS but that will be a lot easier because there will be lots of vendors with pre cast offerings and no doubt a slew of free software alternatives.
If you have Win 2008+ which is pretty likely then that has a lot built in already. Wack a NPS role on a DC and follow one of the howtos on the wiki to get RADIUS working with pfSense and OpenVPN and then fold in TOTP afterwards. You also have Free Radius to play with. pfSense has a package for that which might be worth looking into. Cheers Jon _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
