diff options
author | Christian Breunig <christian@breunig.cc> | 2024-05-20 10:16:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-20 10:16:43 +0200 |
commit | 93ea049954844be784f178c346e35fafdcfa439f (patch) | |
tree | c44c3c1913dfd565fae98b425e1fece957aed3c7 | |
parent | a6bab8c022e7a7f58d13a899efe5d28362e81ffe (diff) | |
parent | 6a056849d77c9184ba3004251e22946e6bfa3601 (diff) | |
download | vyos-documentation-93ea049954844be784f178c346e35fafdcfa439f.tar.gz vyos-documentation-93ea049954844be784f178c346e35fafdcfa439f.zip |
Merge pull request #1460 from srividya0208/mfa
OpenVPN: Added information about mfa settings
-rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 8cf579de..f51dfa94 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -652,6 +652,88 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. quotes. This is done through a hack on our config generator. You can pass quotes using the ``"`` statement. +*************************** +Multi-factor Authentication +*************************** + +VyOS supports multi-factor authentication (MFA) or two-factor authentication +using Time-based One-Time Password (TOTP). Compatible with Google Authenticator +software token, other software tokens. + +MFA TOTP options +================ + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp challenge <enable | disable> + + If set to enable, openvpn-otp will expect password as result of challenge/ + response protocol. + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp digits <1-65535> + + Configure number of digits to use for totp hash (default: 6) + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp drift <1-65535> + + Configure time drift in seconds (default: 0) + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp slop <1-65535> + + Configure maximum allowed clock slop in seconds (default: 180) + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp step <1-65535> + + Configure step value for totp in seconds (default: 30) + +Example +======= + +.. code-block:: none + + set interfaces openvpn vtun20 encryption cipher 'aes256' + set interfaces openvpn vtun20 hash 'sha512' + set interfaces openvpn vtun20 mode 'server' + set interfaces openvpn vtun20 persistent-tunnel + set interfaces openvpn vtun20 server client user1 + set interfaces openvpn vtun20 server mfa totp challenge 'disable' + set interfaces openvpn vtun20 server subnet '10.10.2.0/24' + set interfaces openvpn vtun20 server topology 'subnet' + set interfaces openvpn vtun20 tls ca-certificate 'openvpn_vtun20' + set interfaces openvpn vtun20 tls certificate 'openvpn_vtun20' + set interfaces openvpn vtun20 tls dh-params 'dh-pem' + +For every client in the openvpn server configuration a totp secret is created. +To display the authentication information, use the command: + +.. cfgcmd:: show interfaces openvpn <interface> user <username> mfa <qrcode|secret|uri> + +An example: + +.. code-block:: none + + vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode + █████████████████████████████████████ + █████████████████████████████████████ + ████ ▄▄▄▄▄ █▀▄▀ ▀▀▄▀ ▀▀▄ █ ▄▄▄▄▄ ████ + ████ █ █ █▀▀▄ █▀▀▀█▀██ █ █ █ ████ + ████ █▄▄▄█ █▀█ ▄ █▀▀ █▄▄▄█ █▄▄▄█ ████ + ████▄▄▄▄▄▄▄█▄█ █ █ ▀ █▄▀▄█▄▄▄▄▄▄▄████ + ████▄▄ ▄ █▄▄ ▄▀▄█▄ ▄▀▄█ ▄▄▀ ▀▄█ ▀████ + ████ ▀██▄▄▄█▄ ██ █▄▄▄▄ █▄▀█ █ █▀█████ + ████ ▄█▀▀▄▄ ▄█▀ ▀▄ ▄▄▀▄█▀▀▀ ▄▄▀████ + ████▄█ ▀▄▄▄▀ ▀ ▄█ ▄ █▄█▀ █▀ █▀█████ + ████▀█▀ ▀ ▄█▀▄▀▀█▄██▄█▀▀ ▀ ▀ ▄█▀████ + ████ ██▄▄▀▄▄█ ██ ▀█ ▄█ ▀▄█ █▀██▀████ + ████▄███▄█▄█ ▀█▄ ██▄▄▄█▀ ▄▄▄ █ ▀ ████ + ████ ▄▄▄▄▄ █▄█▀▄ ▀▄ ▀█▀ █▄█ ██▀█████ + ████ █ █ █ ▄█▀█▀▀▄ ▄▀▀▄▄▄▄▄▄ ████ + ████ █▄▄▄█ █ ▄ ▀ █▄▄▄██▄▀█▄▀▄█▄ █████ + ████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄█▄█▄█▄██▄██████ + █████████████████████████████████████ + █████████████████████████████████████ + +Use the QR code to add the user account in Google authenticator application and +on client side, use the OTP number as password. + ********************************** OpenVPN Data Channel Offload (DCO) |