diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-05-20 10:16:43 +0200 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-20 10:16:43 +0200 | 
| commit | 93ea049954844be784f178c346e35fafdcfa439f (patch) | |
| tree | c44c3c1913dfd565fae98b425e1fece957aed3c7 | |
| parent | a6bab8c022e7a7f58d13a899efe5d28362e81ffe (diff) | |
| parent | 6a056849d77c9184ba3004251e22946e6bfa3601 (diff) | |
| download | vyos-documentation-93ea049954844be784f178c346e35fafdcfa439f.tar.gz vyos-documentation-93ea049954844be784f178c346e35fafdcfa439f.zip | |
Merge pull request #1460 from srividya0208/mfa
OpenVPN: Added information about mfa settings
| -rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 82 | 
1 files changed, 82 insertions, 0 deletions
| diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 8cf579de..f51dfa94 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -652,6 +652,88 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file.     quotes. This is done through a hack on our config generator. You can pass     quotes using the ``"`` statement. +*************************** +Multi-factor Authentication +*************************** + +VyOS supports multi-factor authentication (MFA) or two-factor authentication  +using Time-based One-Time Password (TOTP). Compatible with Google Authenticator +software token, other software tokens. + +MFA TOTP options +================ + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp challenge <enable | disable> + +  If set to enable, openvpn-otp will expect password as result of challenge/ +  response protocol. + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp digits <1-65535>     + +  Configure number of digits to use for totp hash (default: 6) +     +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp drift <1-65535> + +  Configure time drift in seconds (default: 0) + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp slop <1-65535> + +  Configure maximum allowed clock slop in seconds (default: 180) + +.. cfgcmd:: set interfaces openvpn <interface> server mfa totp step <1-65535> + +  Configure step value for totp in seconds (default: 30) + +Example +======= + +.. code-block:: none + +  set interfaces openvpn vtun20 encryption cipher 'aes256' +  set interfaces openvpn vtun20 hash 'sha512' +  set interfaces openvpn vtun20 mode 'server' +  set interfaces openvpn vtun20 persistent-tunnel +  set interfaces openvpn vtun20 server client user1 +  set interfaces openvpn vtun20 server mfa totp challenge 'disable' +  set interfaces openvpn vtun20 server subnet '10.10.2.0/24' +  set interfaces openvpn vtun20 server topology 'subnet' +  set interfaces openvpn vtun20 tls ca-certificate 'openvpn_vtun20' +  set interfaces openvpn vtun20 tls certificate 'openvpn_vtun20' +  set interfaces openvpn vtun20 tls dh-params 'dh-pem' + +For every client in the openvpn server configuration a totp secret is created. +To display the authentication information, use the command: + +.. cfgcmd:: show interfaces openvpn <interface> user <username> mfa <qrcode|secret|uri> + +An example: + +.. code-block:: none + +   vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode +   █████████████████████████████████████ +   █████████████████████████████████████ +   ████ ▄▄▄▄▄ █▀▄▀ ▀▀▄▀ ▀▀▄ █ ▄▄▄▄▄ ████ +   ████ █   █ █▀▀▄ █▀▀▀█▀██ █ █   █ ████ +   ████ █▄▄▄█ █▀█ ▄ █▀▀ █▄▄▄█ █▄▄▄█ ████ +   ████▄▄▄▄▄▄▄█▄█ █ █ ▀ █▄▀▄█▄▄▄▄▄▄▄████ +   ████▄▄ ▄ █▄▄ ▄▀▄█▄ ▄▀▄█ ▄▄▀ ▀▄█ ▀████ +   ████ ▀██▄▄▄█▄ ██ █▄▄▄▄ █▄▀█ █ █▀█████ +   ████ ▄█▀▀▄▄  ▄█▀  ▀▄ ▄▄▀▄█▀▀▀ ▄▄▀████ +   ████▄█ ▀▄▄▄▀  ▀ ▄█ ▄ █▄█▀ █▀  █▀█████ +   ████▀█▀ ▀ ▄█▀▄▀▀█▄██▄█▀▀  ▀ ▀ ▄█▀████ +   ████ ██▄▄▀▄▄█ ██ ▀█ ▄█ ▀▄█  █▀██▀████ +   ████▄███▄█▄█ ▀█▄ ██▄▄▄█▀ ▄▄▄ █ ▀ ████ +   ████ ▄▄▄▄▄ █▄█▀▄ ▀▄ ▀█▀  █▄█ ██▀█████ +   ████ █   █ █ ▄█▀█▀▀▄ ▄▀▀▄▄▄▄▄▄   ████ +   ████ █▄▄▄█ █ ▄ ▀ █▄▄▄██▄▀█▄▀▄█▄ █████ +   ████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄█▄█▄█▄██▄██████ +   █████████████████████████████████████ +   █████████████████████████████████████ + +Use the QR code to add the user account in Google authenticator application and +on client side, use the OTP number as password. +  **********************************  OpenVPN Data Channel Offload (DCO) | 
