Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/snuffy2/openvpn_otp_auth
OpenVPN TOTP Auth Python Script
https://github.com/snuffy2/openvpn_otp_auth
Last synced: about 2 months ago
JSON representation
OpenVPN TOTP Auth Python Script
- Host: GitHub
- URL: https://github.com/snuffy2/openvpn_otp_auth
- Owner: Snuffy2
- License: apache-2.0
- Created: 2023-07-30T03:34:38.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-06-30T02:45:56.000Z (7 months ago)
- Last Synced: 2024-10-20T23:17:01.800Z (3 months ago)
- Language: Python
- Size: 46.9 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# OpenVPN TOTP Auth Python Script
* Validates OpenVPN username/password/TOTP from file passed as the first arg when called from OpenVPN server using auth-user-pass-verify.
* TOTP (aka. 2FA, MFA) uses Google Authenticator (or Authenticator-supporting third-party applications).
* User management is done from the CLI and stores users credentials and sessions in SQLite DBs.
## Installation
1. Place the openvpn_otp_auth.py script in a location that ideally wont be removed by system updates (ex. /etc/config/openvpn_otp_auth).
2. Run: `python openvpn_otp_auth.py --install` to build the config file `openvpn_otp_auth.conf` in the same folder as the python script.
3. Review the Config file and make any neccesary changes making sure the locations are correct and the issuer name is set.
Default openvpn_otp_auth.conf (Created by running: python openvpn_otp_auth.py --install)
```
[OpenVPN OTP Auth]
; set to your business name or name of your vpn
issuer = OpenVPN OTP Auth Issuer
; where the totp qr code files are saved to
totp_out_path = /etc/config/openvpn_otp_auth
; number of hours before requiring new totp if nothing else changes
session_duration = 164
user_db_file = /etc/config/openvpn_otp_auth/users.db
session_db_file = /etc/config/openvpn_otp_auth/sessions.db
```
Example server.ovpn (incomplete)
```
mode server
server xx.yy.zz.0 255.255.255.0
port 1234
proto udp4
dev tun0
topology subnet
verb 3
mute 10
log-append '/var/log/openvpn.log'
status '/var/log/openvpn-status.log'
status-version 2
persist-key
persist-tun
user openvpn
group openvpn
script-security 2
auth-user-pass-verify /etc/config/openvpn_otp_auth/openvpn_otp_auth.py via-file
auth-gen-token 0 external-auth
reneg-sec 3600
keepalive 10 60
explicit-exit-notify
client-to-client
username-as-common-name
mtu-test
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route xx.yy.bb.0 255.255.255.0"
push "dhcp-option DNS xx.yy.bb.1"
push "dhcp-option DOMAIN-SEARCH vpn"
```
Example client.ovpn (incomplete)
```
client
remote vpn.server.address port
proto udp4
dev tun
verb 3
nobind
persist-key
persist-tun
remote-cert-tls server
resolv-retry 5
connect-retry-max 5
explicit-exit-notify
auth-user-pass
auth-nocache
auth-retry interact
static-challenge "Enter Authentication Code (TOTP)" 1
```
## Command Line Options
Option | Description |
-- | --
-h, --help | Show help message and exit
--install | Generate the config file with default values
--adduser \ | Add a new user
--deluser \ | Delete an existing user
--changepass \ | Change the password for an existing user
--changetotp \ | Generate a new TOTP for an existing user
--showtotp \ | Show the TOTP for an existing user
--listusers | List all users
### Notes
* Put the username in quotes if getting errors with not enough or too many arguments.
* When new users are created or TOTP is changed, the TOTP QR Code and URL will display and also be saved to a file called \.totp
## Authors
* **Current Author:** @Snuffy2
* **Initial Author:** @roman-vynar
* **Expanded from:** https://github.com/roman-vynar/random-scripts