Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Oct 2013
    Posts
    62

    Default OpenVPN MFA MAJOR bug

    Hi everyone --

    I am working on implementing OpenVPN MFA in Untangle NG Firewall (16.4.1) and I believe I've stumbled on a major bug...

    I've enabled MFA in the OpenVPN app in Untangle per the checkbox labeled "Add MFA client configuration" (located in the Server tab of the OpenVPN app) and I've set the timeout to 0.

    I've generated OpenVPN MFA Secret in the Local Directory for each user. Each user has the "Enable MFA for OpenVPN" checkbox checked, EXCEPT our site-to-site VPN, which I cannot imagine would work with MFA. Each user has the Google Authenticator set up, and it works great.

    As far as I can tell, I've properly enabled it in all the necessary locations in Untangle for MFA to be 100% enabled and working for OpenVPN.

    I have updated each machine that is connecting to the latest OpenVPN Community version available. I've imported the configs.

    Attempt to connect, and it comes up asking for username / password / TOTP. PERFECT! Type them all in and it connects without issue.

    HERE is the problem... If I go into the OpenVPN config file and remove the TOTP line from the config ON THE CLIENT MACHINE, it STILL ALLOWS the user to connect without TOTP! This should all be handled server-side. A small client side change is all that is required to allow a malicious actor to completely bypass MFA for OVPN.

    If this is expected behavior, it has essentially rendered MFA completely useless for OpenVPN. Has anyone else run into this?
    Last edited by BarryDingle; 12-15-2021 at 03:37 PM.
    dashpuppy and MP715 like this.

  2. #2
    Untangler
    Join Date
    Oct 2013
    Posts
    62

    Default

    Thank you very much for the reply. I'll look into doing this. Any idea how long it'll be before it's patched?

  3. #3
    Untangler
    Join Date
    Aug 2018
    Posts
    58

    Default

    Please do NOT make command line changes. This renders your appliance unsupported. As stated, this is an issue, but you need to ask support to do this for you, and rasmussenc can write a script for support, or for users to run. That would be supported and resolve the issue.

  4. #4
    Untangler sheck's Avatar
    Join Date
    May 2020
    Posts
    64

    Default

    As noted by tcurtis, CLI changes are not supported, support will have a fix for the issue available, if you are using MFA with OpenVPN please contact support to have this patched accordingly.

    I don't have a specific ETA at the moment, but you should see the fix available in our next release.
    dashpuppy likes this.

  5. #5
    Untangler
    Join Date
    Oct 2013
    Posts
    62

    Default

    The only issue here that I can think of is that if you make the change that was posted here before, would that make every user require MFA? I have one user that I cannot have MFA enabled for as it's a site-to-site connection...
    Last edited by BarryDingle; 12-17-2021 at 08:08 AM.

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,713

    Default

    Yes, it breaks site to site so we are still working on a fix.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Ewww.... I hadn't thought about that! But you're right!

    Crap... That's... rough.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Oct 2013
    Posts
    62

    Default

    Yikes is right! OK - fortunately, the one customer I have that is champing at the bit to get switched to MFA does not have any site-to-site connections, so we'll be OK on that deployment...

    The deployment for my business, on the other hand, won't work until a fix has been developed that will allow site-to-site connections to be excluded from MFA.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2