Hi everyone --
I am working on implementing OpenVPN MFA in Untangle NG Firewall (16.4.1) and I believe I've stumbled on a major bug...
I've enabled MFA in the OpenVPN app in Untangle per the checkbox labeled "Add MFA client configuration" (located in the Server tab of the OpenVPN app) and I've set the timeout to 0.
I've generated OpenVPN MFA Secret in the Local Directory for each user. Each user has the "Enable MFA for OpenVPN" checkbox checked, EXCEPT our site-to-site VPN, which I cannot imagine would work with MFA. Each user has the Google Authenticator set up, and it works great.
As far as I can tell, I've properly enabled it in all the necessary locations in Untangle for MFA to be 100% enabled and working for OpenVPN.
I have updated each machine that is connecting to the latest OpenVPN Community version available. I've imported the configs.
Attempt to connect, and it comes up asking for username / password / TOTP. PERFECT! Type them all in and it connects without issue.
HERE is the problem... If I go into the OpenVPN config file and remove the TOTP line from the config ON THE CLIENT MACHINE, it STILL ALLOWS the user to connect without TOTP! This should all be handled server-side. A small client side change is all that is required to allow a malicious actor to completely bypass MFA for OVPN.
If this is expected behavior, it has essentially rendered MFA completely useless for OpenVPN. Has anyone else run into this?