{"id":39057700,"url":"https://github.com/ufukty/ovpn-auth","last_synced_at":"2026-01-17T18:01:45.214Z","repository":{"id":162236682,"uuid":"382600722","full_name":"ufukty/ovpn-auth","owner":"ufukty","description":"Simple to use, easy to deploy 2FA login for OpenVPN servers","archived":false,"fork":false,"pushed_at":"2025-11-20T09:24:23.000Z","size":2146,"stargazers_count":5,"open_issues_count":2,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-20T09:27:54.921Z","etag":null,"topics":["authentication","golang","openvpn","password","security","totp","two-factor-authentication"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ufukty.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-07-03T11:40:23.000Z","updated_at":"2025-11-20T08:40:35.000Z","dependencies_parsed_at":"2024-05-28T19:13:24.138Z","dependency_job_id":"28dd5465-6595-49c3-b4fc-46eea3f90717","html_url":"https://github.com/ufukty/ovpn-auth","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/ufukty/ovpn-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ufukty%2Fovpn-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ufukty%2Fovpn-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ufukty%2Fovpn-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ufukty%2Fovpn-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ufukty","download_url":"https://codeload.github.com/ufukty/ovpn-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ufukty%2Fovpn-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28514939,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","golang","openvpn","password","security","totp","two-factor-authentication"],"created_at":"2026-01-17T18:01:45.111Z","updated_at":"2026-01-17T18:01:45.176Z","avatar_url":"https://github.com/ufukty.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `ovpn-auth`\n\n`ovpn-auth` is a easy-to-use multi-factor authentication solution for OpenVPN that supports both password and Time-Based OTP nonces.\n\n## Features\n\n- 2FA login with username, password and TOTP nonce\n- Multiple users\n- Built-in mechanism to register. Scan QR code printed on terminal to TOTP app e.g. Google Authenticator\n- No dependencies \u0026 single binary =\u003e easy to deploy \u0026 use\n- Passwords are stored as Argon2id hashes\n\n### Register new users\n\n```sh\n$ ovpn-auth register\n\nEnter username: ufukty\nEnter password:\nCopy the secret or scan QR: otpauth://totp/ovpn-auth:ufukty?algorithm=SHA1\u0026digits=6\u0026issuer=ovpn-auth\u0026period=30\u0026secret=V72ILSVNVZ2FMGMJKI5UPC64XXFGPJXK\n# QR code will be printed here\nEnter TOTP nonce: 241988\nsuccess\n```\n\nThis will ask username, password and print a totp secret with QR code for it. It needs `/etc/openvpn` directory to exist.\n\n### Login\n\n\u003e [!IMPORTANT]\n\u003e Append 6 digit TOTP nonce just to the end of your password.\n\n```sh\n$ sudo openvpn client_config.ovpn\n...\nEnter Auth Username:\u003cusername\u003e\nEnter Auth Password:\u003cpassword\u003e\u003ctotp\u003e\n```\n\n## How to use\n\n### Configure server\n\n```sh\n# Locate the `/etc/openvpn` folder of server in your terminal.\ncd /etc/openvpn\n\n# Adjust permissions and ownership\nchmod 744 ovpn_auth_database.yml # Read caution below\nchown root:root ovpn_auth_database.yml\n\nchmod 755 ovpn-auth\nchown root:root ovpn-auth\n\n# Enable auth script support for OpenVPN server by editing server.conf file in the server.\necho \"script-security 2\" \u003e\u003eserver.conf\necho \"auth-user-pass-verify /etc/openvpn/ovpn-auth via-file\" \u003e\u003eserver.conf\n```\n\n\u003e [!CAUTION]\n\u003e Since, OpenVPN daemon starts the `ovpn-auth` as the user `nobody`, also the `ovpn_auth_database.yml` file should be accessible by `nobody`. That means username, password, and TOTP secret will be able to seen by anyone in the server. While it is not a big problem for argon2 hashes, you should mind the exposure of otp secret.\n\n### Configure clients\n\nIn the client configuration, make this update to enable username/password prompt when you try to connect to server:\n\n```sh\n$ echo \"auth-user-pass\" \u003e\u003e/path/to/client_config.ovpn\n```\n\n### Deployment\n\nDatabase file is portable. Just be sure it has correct permissions to let user `nobody` can read.\n\n```yml\n# /etc/openvpn/ovpn_auth_database.yml\n- username: ufukty\n  hash: $argon2id$v=19$m=65536,t=2,p=1$AQQSwAsd4DGijyj9IpTjDNJllW/owpE3C6toqtruBxs$ZDnWhrpxzB34GInI9cjAf18ddE0LaMFiPCZXbYBnUzPE7khDJLBvLgHh/P7k39j5RDwKhThwBZvyEx5hnmO43nOS694zB/w5N96zQm0MPmagVPJXCV519f1wAd0EgqxEsi77iGLptIw/FdriWuBfKpO+3ygG81tL7rJS6k6kcMQ\n  totp-secret: XJB7WISZEXY5SGTZZLL4D3OCHWDQFRDF\n```\n\n## Security\n\n### Argon2 configuration\n\n| Parameter       | Value  |\n| --------------- | ------ |\n| Mode            | id     |\n| Memory (m)      | 64 MiB |\n| Iterations (t)  | 2      |\n| Parallelism (p) | 1      |\n| Salt            | 32     |\n| Key             | 128    |\n\n\u003e [!CAUTION]\n\u003e Beware that since hashing needs significant amount of RAM to be utilized for each request, external adjustments to block requests that might lead to a DoS attack may be necessary.\n\n### Timing attacks\n\n```sh\n$ /usr/local/go/bin/go test -timeout 10s -run ^TestTimings$ github.com/ufukty/ovpn-auth/internal/login -v -count=1\n\n=== RUN   TestTimings\n=== RUN   TestTimings/invalid-totp.yml\n=== RUN   TestTimings/invalid-username.yml\n=== RUN   TestTimings/invalid-password-totp.yml\ntotal durations for all requests in same test set:\n    invalid-totp.yml          =\u003e 3.296492025s\n    invalid-username.yml      =\u003e 11.827µs\n    invalid-password-totp.yml =\u003e 11.643µs\naverage durations per request:\n    invalid-totp.yml          =\u003e 66ms\n    invalid-username.yml      =\u003e 0ms\n    invalid-password-totp.yml =\u003e 0ms\nstandard deviations (amongst all requests in one set, individually):\n    invalid-totp.yml          =\u003e 2.80ms\n    invalid-username.yml      =\u003e 0.00ms\n    invalid-password-totp.yml =\u003e 0.00ms\n--- PASS: TestTimings (3.30s)\n    --- PASS: TestTimings/invalid-totp.yml (3.30s)\n    --- PASS: TestTimings/invalid-username.yml (0.00s)\n    --- PASS: TestTimings/invalid-password-totp.yml (0.00s)\nPASS\nok      github.com/ufukty/ovpn-auth/internal/login      3.678s\n```\n\n## Contribution\n\nIssues and PRs are welcome.\n\n## Resources\n\n- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html\n- https://github.com/P-H-C/phc-winner-argon2\n- https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/\n- https://openvpn.net/diy-mfa-setup-community-edition/\n- https://github.com/google/google-authenticator/wiki/Key-Uri-Format\n\n## License\n\nApache 2.0 License.\n\n\u003e [!CAUTION]\n\u003e Software is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\u003e Read the LICENSE file for information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fufukty%2Fovpn-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fufukty%2Fovpn-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fufukty%2Fovpn-auth/lists"}