2 files changed, 22 insertions, 8 deletions

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 365d0982e..220c4f157 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -80,6 +80,11 @@ def get_config(config=None):
     tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
                                 get_first_key=True, no_tag_node_value_mangle=True)
 
+    # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict'
+    # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there.
+    tmp_openvpn = conf.get_config_dict(base + [os.environ['VYOS_TAGNODE_VALUE']], key_mangling=('-', '_'),
+                                get_first_key=True, no_tag_node_value_mangle=True)
+
     openvpn = get_interface_dict(conf, base)
 
     if 'deleted' not in openvpn:
@@ -89,6 +94,14 @@ def get_config(config=None):
     openvpn['daemon_user'] = user
     openvpn['daemon_group'] = group
 
+    # We have to cleanup the config dict, as default values could enable features
+    # which are not explicitly enabled on the CLI. Example: server mfa totp
+    # originate comes with defaults, which will enable the
+    # totp plugin, even when not set via CLI so we
+    # need to check this first and drop those keys
+    if 'totp' not in tmp_openvpn['server']:
+        del openvpn['server']['mfa']['totp']
+
     return openvpn
 
 def is_ec_private_key(pki, cert_name):
@@ -369,8 +382,8 @@ def verify(openvpn):
                                 if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet:
                                     print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.')
 
-        # add 2fa users to the file the 2fa plugin uses
-        if dict_search('server.2fa.totp', openvpn):
+        # add mfa users to the file the mfa plugin uses
+        if dict_search('server.mfa.totp', openvpn):
             if not Path(otp_file.format(**openvpn)).is_file():
                 Path(otp_path).mkdir(parents=True, exist_ok=True)
                 Path(otp_file.format(**openvpn)).touch()
@@ -590,6 +603,7 @@ def generate_pki_files(openvpn):
 def generate(openvpn):
     interface = openvpn['ifname']
     directory = os.path.dirname(cfg_file.format(**openvpn))
+    plugin_dir = '/usr/lib/openvpn'
 
     # we can't know in advance which clients have been removed,
     # thus all client configs will be removed and re-added on demand
diff --git a/src/op_mode/show_openvpn_2fa.py b/src/op_mode/show_openvpn_mfa.py
index 8600f755d..1ab54600c 100755
--- a/src/op_mode/show_openvpn_2fa.py
+++ b/src/op_mode/show_openvpn_mfa.py
@@ -24,7 +24,7 @@ from vyos.util import popen
 
 otp_file = '/config/auth/openvpn/{interface}-otp-secrets'
 
-def get_2fa_secret(interface, client):
+def get_mfa_secret(interface, client):
     try:
         with open(otp_file.format(interface=interface), "r") as f:
             users = f.readlines()
@@ -34,7 +34,7 @@ def get_2fa_secret(interface, client):
     except:
         pass
 
-def get_2fa_uri(client, secret):
+def get_mfa_uri(client, secret):
     hostname = socket.gethostname()
     fqdn = socket.getfqdn()
     uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}'
@@ -42,23 +42,23 @@ def get_2fa_uri(client, secret):
     return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=')
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(add_help=False, description='Show 2fa information')
+    parser = argparse.ArgumentParser(add_help=False, description='Show two-factor authentication information')
     parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface')
     parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users')
     parser.add_argument('--action', action="store", type=str, default='show', help='action to perform')
 
     args = parser.parse_args()
-    secret = get_2fa_secret(args.intf, args.user)
+    secret = get_mfa_secret(args.intf, args.user)
 
     if args.action == "secret" and secret:
         print(secret)
 
     if args.action == "uri" and secret:
-        uri = get_2fa_uri(args.user, secret)
+        uri = get_mfa_uri(args.user, secret)
         print(uri)
 
     if args.action == "qrcode" and secret:
-        uri = get_2fa_uri(args.user, secret)
+        uri = get_mfa_uri(args.user, secret)
         qrcode,err = popen('qrencode -t ansiutf8', input=uri)
         print(qrcode)