I have OpenVPN setup with password and MFA options. I use the Yubico Authenticator, but it's generic OAuth I think.
Windows OpenVPN client works as expected. Connect with credentials, prompts for TOTP code.
On my Linux device, I setup the built-in VPN client (I think it's part of the Gnome network manager - I use Pop!_OS 21.04) and it totally skips the MFA. Connects fine with just the username and password.
Unless I'm missing something - this is not good.
I did notice a new setting come up, "MFA Timeout" that doesn't seem documented. It was set to 0, or never. I changed it to 168 hours.