Feature #13293
open
Option to set auth-gen-token in OpenVPN GUI
0%
Description
This option is useful to avoid having to frequently manually re-authenticate when using MFA.
--auth-gen-token [lifetime]
After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that to client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms.The lifetime argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire.
This feature is useful for environments which is configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not implement any auth-token support.
This should be the preferred option over increasing/disabling reneg-sec.
Files
Related issues
Updated by Marcos M almost 3 years ago
- Related to Feature #12466: Option to Disable Renegotiation timer in OpenVPN Server added
Updated by Marcos M almost 3 years ago
It's unclear if the concerns mentioned on the following link have been addressed - best to keep this as a custom option for now until that's clarified:
https://community.openvpn.net/openvpn/ticket/1147
Updated by Marcos M over 1 year ago
- Is duplicate of Feature #14924: Add Option for auth-gen-token to OpenVPN Server and OpenVPN Client Export added
Updated by Kris Phillips about 1 year ago
Marcos M wrote in #note-2:
It's unclear if the concerns mentioned on the following link have been addressed - best to keep this as a custom option for now until that's clarified:
https://community.openvpn.net/openvpn/ticket/1147
I don't think it's relevant to hold back this feature for this. All of the items they discussed were pretty much resolved in 2.5.X. We're on 2.6.X now and there seems to have been even more significant improvement here to the point I've never seen anyone run into any of the weird edge cases their discussing.
Given the difference of "people getting booted after 1 hour when using 2FA solutions" and "they might have a problem, maybe, under extremely unusual circumstances", I think adding a simple checkbox with a timeout value field isn't something we should hold back. Especially if it's off by default.
Updated by Sean Scarfo 11 months ago
I agree. This specific issue drove me crazy. No mention of --auth-gen-token in the pfsense documentation.
Updated by Gianni Binomio 10 months ago
Just add "auth-gen-token;" to custom options during the server configuration.
Updated by Danilo Zrenjanin 10 months ago
I've just opened a feature request to add details about this feature to our docs.
https://redmine.pfsense.org/issues/15569
Updated by Kris Phillips 3 months ago
Bumping this.
Is this possible as an addition for 25.03? We run into this a few times a week and manually adding advanced options to the OpenVPN server seems "hacky" to end users.
Updated by Phil Wardt 10 days ago
Can you check my comment here please ? :
https://redmine.pfsense.org/issues/12466#change-76474
It's about this option still not filling its purpose on OpenVPN Connect app, while it works on OpenVPN for Android app
Also, on Android, it can only be added in server advanced options, and cannot be used as a push option in CSO, else we get an out of context error in logs. Not sure if it is by design in OpenVPN protocol or a limitation in Android!
Updated by Christian McDonald 6 days ago
- Assignee set to Christian McDonald
- Target version set to 2.9.0
- Plus Target Version set to 25.07