pfSense » pfSense Packages

Pardon my lack of experience using openvpn, but would this request mean all someone needs is the username? TOTP really only protects against drag netting. 6 digit TOTP is no stronger than a random 6 char pin. If you want convenience, just use that. And more convenient to boot. Don't need to look at your phone every time.

Thanks for your answers.

I would agree, generally the 4 digit pin + totp makes the system safer.

Here are our thoughts, why we would do it with plain totp:
The default setup of the openvpn client allows storing the password locally, so we do not want to use a fixed password for openvpn dialin.
Also in practice, many people tend to store pins/passwords unencrypted on the system so a fixed password or an additional pin (stored side by side with the tls cert) wolud not increase security.

Without plain totp the attacker must control both devices (totp-device vpn-device), hack or steel them to gain access.
In my opinion hacking phone and vpn-client device is much harder than only to hack the vpn-device alone (so totp on the phone increases security).
More easier might be to steal both devices, but then the attacker has a phone with minimum 4 digit pin or fingerprint to hack. (which also increases security)

For our scenario this would be ok.

I will have a look, if I can find the time to provide a PR, did not do that before, so if somebody is willing to help, i would be happy.

Security Warning makes sense ...

Since the user enters the PIN alongside the randomly generated OTP code (password=PIN+CODE) I am not seeing how any client could be storing that PIN unencrypted effectively.

Allowing weaker security because some users behave in an insecure manner seems backwards, too. This is about making them more secure, not about enabling their bad behavior.