Bug #8122


openvpn client is unable to use OTP (temporary) passwords

Added by Sorin Sbarnea over 6 years ago. Updated about 6 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


While the upstream OpenVPN client is able to load one-time passwords from the file mentioned by the auth-user-pass parameter, it seems the pfsense prevents users from using it.

a) if user does not specify user/password the UI is forcing them to pick certificate authentication method which would break login

b) if user is specifying user/pass, pfsense will save them inside a file like /var/etc/openvpn/client1.up and add the "auth-user-pass /var/etc/openvpn/client1.up" to the config.

This means that even if a power-user managed to create this file with the temporary credentials, these will be overriden and the login process would fail.

If the user is trying to manually specialy the auth-user-pass param as advanced config options, the final openvpn config file will contain that option twice, and the openvpn client will just load the first one, which happens to always be the one invariable user/password combination specified int the UI.

Due to the combination of a) and b) the user is totally unable to configure OTP logins.

There may be multiple ways to address this issue but one option that could be very friendly would be to allow to specify command that generates the password (stdout = password).

One real use case is that user would put there something like: echo -e "fixedpart$(/usr/local/bin/oathtool --totp -b AABBCC...)"
By allowing an arbitrary command to be run, you would give users flexibility to gather their temporary password from various sources like cli tools or even from the web by using curl.

Another option that could work it would be to make the "Custom options" override system options, so if someone defines a line starting with auth-user-pass on custom options, this would override the openvpn line instead of just being appended to the file.

This 2nd approach would fully work if pfsense network up is also able to execute a "pre-up" shell command before trying to establish a connection. I observed as being possible to do this with Viscosity OpenVPN client and also with the Linux OpenVPN client but not with pfsense. If this is possible, is clearly not documented. Being able to run a pre-up command is essential in order to be able to write temporary/OTP credentials into the auth-user-pass file.


pfsense-ovpn-otp-auth-script.png (188 KB) pfsense-ovpn-otp-auth-script.png Sorin Sbarnea, 04/14/2018 02:19 AM

Also available in: Atom PDF