Hi guys We use OpenVPN 2.3 with UserName + One-Time-Password authentication (YubiKey, to be specific).
It works well but the problem is when the connection drops for any reason the client process can't re-authenticate to the server without the user entering a new OTP. Sadly they're not immediately prompted to re-enter it and only figure that the VPN went down when connections start to time out. That's quite a nuisance. We used to do cert-based authentication which was good because on connection drop it re-authenticated without any user interaction and often users didn't even notice. Now that we moved to OTP users rightfully complain about the lower comfort. Is there I wonder if it's possible to work around this? For example - can OpenVPN hold a session "cookie" and provided it's been recently used (e.g. within last 5 mins) and perhaps check if the client IP is still the same use it to re-authenticate without calling to PAM and OTP and all that? That would significantly improve the user experience while keeping the connection secured with OTP. What do you think? Michael ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
