On Thu, Mar 10, 2022 at 6:14 AM Jakob Curdes <j...@info-systems.de> wrote:
> Hello all, > > we are trying to implement 2FA for several existing Firebox SSL VPNs > (which essentially uses OpenVPN on server and client side). The remote > users all use the Windows OpenVPN client. This works perfectly without 2FA, > and it works also if you do not need to specify the authentication domain > on user logon. But for the migration it is necessary to do that as I cannot > convert all users at once - the domain you enter in the username field is > then "authpoint" instead of something like "company.private". In the 2FA > process, the OpenVPN client then opens a text window where you can enter a > TOTP token or a "p" for a push request. This all works with the default > domain set, but not when specifying a domain with a backslash: > If you are using OpenVPN-GUI for Windows, looks like a bug. I guess, by text window, you mean the challenge-response dialog that the GUI pops up for 2FA. Username is first input in the username/password dialog and that seems to succeed with the backslash in it. You should be able to see that the username is passed to management with the backslash replaced by "\\" (escaped). Then the challenge response dialog is shown when AUTH_FAILED with challenge is received where the user types the response. In that round the username is submitted again and that seems to be failing. Looks like a bug in the GUI -- we are not expanding the string when submitted from that dialog. generally we use ManagementCommandFromInput() to submit user input and that does the escaping, but for this username which is not input by user but passed in by the server, we send it directly without escaping. Will fix if that is indeed the case. As a quick fix, username@domain instead of domain\username may work with your server. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
