At work we recently switched to 2FA for the VPN (which I connect to with openVPN).
I had some trouble connecting with networkmanager (with openvpn plugin). It took chatgpt to tell me that the way to use this was to append the OTP to my regular password when prompted.
Maybe this is normal and I just wasn’t aware of it, but I was quite surprised that it wasn’t a separate field or just a prompt for the OTP, given that I had stored my regular password in the network config.
I’m not trying to bash network manager, I’m grateful to be able to use this software for free. I’m just wondering if there is something I missed, seeing how I could barely find any information on this online.
The VPN page Networkmanager only lists the plugins (https://networkmanager.dev/docs/vpn/), the link for the openvpn plugin just points to a repo that doesn’t seem connected to any docs.
Edit: Multi factor is a common term even if it’s only two factor.
I don’t see any advantage of using additional OTP for a vpn. 2FA mitigates many of the problems with password reuse and phishing. It is not a miracle cure. It’s not perfect; the secret can be leaked or copied. If your openvpn is set up with pki, OTP does not enhance security to the concept.
I suppose they would argue that, since people use their phone to generate the OTP, it’s still an additional thing that attackers would need to acquire. Since everyone has personal VPN password saved in the config to connect automatically, if attacker acquired a laptop could access the network as soon as he could log in (which is probably not hard, because realistically people don’t lock their laptop that often).
If an OTP is required that’s not a problem.
However, it’s very possible that the desire to be seen to be doing stuff for security is also a good reason.
Doesn’t seem like a networkmanager problem and more like a frontend problem. There are many frontends for networkmanager and any one of them could separate them into multiple fields. Seems like it would depend on which frontend you are using and perhaps you would have come across the correct information sooner had you looked up documentation for the frontend rather than networkmanager itself.
perhaps you would have come across the correct information sooner had you looked up documentation for the frontend rather than networkmanager itself.
No need to be condescending.
While a frontend could solve this, it is also an issue with nmcli, which makes no mention anything related in the man pages. And the frontend I’m using is nm-applet, which doesn’t appear to have any docs.
Year, people also use vpn on their mobile phones, many times even with the same preshared key as with other devices. In this case OTP is not even a second factor. If everyone does it, it doesn’t mean that it’s well thought out. And even if you use discrete channels for both factors, you don’t reach the target to connect automatically because you add manual interaction!
In that case I’m sorry for misinterpreting you, my bad.
Looking into front ends did lead me to switchboard, which seems quite nice in general. But clicking connect in there leads me to the same little window that the nm-applet opens.
Since the OTP has to be appended to the regular password it’s also possible that there is no way for the connecting application to even know an OTP is required.
At first I thought it would be a separate step in the connection process, but that’s probably the same and it’s just a change on the authenticating server.
Even if this was the case (and I don’t believe most people have any reason to use the company VPN on their phone), it would be security neutral on the phone and improve security for laptop (except for the small number of users that generate their OTP on the laptop).
And even if you use discrete channels for both factors, you don’t reach the target to connect automatically because you add manual interaction!
Not sure what you mean by that. Not connecting automatically seems to be the point of the whole exercise.
Sorry, got that wrong.
On the client side test if it works by running openvpn with option --auth-user-pass (or in config files). You will be promted for user name ans password (TOTP). If that works, NM is also able to handle that, you need to configure the connection type to certificate with password TLS, type in your user name and leave the password field empty. This way you will be prompted for the totp number. I admit, i never tested that on EOS, i used debian for vpn stuff and today i use wireguard for vpn.
auth-user-pass is in the config already and indeed the connection type is also certificate with password TLS.
I always had to enter a password, it was just always the same one (this is what I meant by “regular password”, I don’t know the jargon). The change has been that it’s now that same password with TOPT appended to it (I didn’t know about the first T in TOPT either).
I was expecting the behavior to be like on websites that use 2FA, where you usually have to enter the TOPT in a separate field.