add part 2fa

1 files changed, 11 insertions, 0 deletions

diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 0968a18ba..91f8d7515 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -127,6 +127,14 @@ push "dhcp-option DNS6 {{ nameserver }}"
 {%     if server.domain_name is defined and server.domain_name is not none %}
 push "dhcp-option DOMAIN {{ server.domain_name }}"
 {%     endif %}
+{%     if server['2fa']['totp'] is defined and server['2fa']['totp'] is not none %}
+plugin "/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-otp.so" "otp_secrets=/config/otp-secrets otp_slop=
+{{- server['2fa']['totp']['slop']|default(180) }} totp_t0=
+{{- server['2fa']['totp']['t0']|default(0) }} totp_step=
+{{- server['2fa']['totp']['step']|default(30) }} totp_digits=
+{{- server['2fa']['totp']['digits']|default(6)}} password_is_cr=
+{%-if server['2fa']['totp']['challenge']|default('enabled') == 'enabled' %}1{% else %}0{% endif %}"
+{%     endif %}
 {%   endif %}
 {% else %}
 #
@@ -218,6 +226,9 @@ auth-user-pass {{ auth_user_pass_file }}
 auth-retry nointeract
 {% endif %}
 
+
+{% if openvpn_option is defined and openvpn_option is not none %}
+
 {% if openvpn_option is defined and openvpn_option is not none %}
 #
 # Custom options added by user (not validated)