OpenVPN MFA MAJOR bug

**BarryDingle** · 12-15-2021, 02:38 PM

Hi everyone --

I am working on implementing OpenVPN MFA in Untangle NG Firewall (16.4.1) and I believe I've stumbled on a major bug...

I've enabled MFA in the OpenVPN app in Untangle per the checkbox labeled "Add MFA client configuration" (located in the Server tab of the OpenVPN app) and I've set the timeout to 0.

I've generated OpenVPN MFA Secret in the Local Directory for each user. Each user has the "Enable MFA for OpenVPN" checkbox checked, EXCEPT our site-to-site VPN, which I cannot imagine would work with MFA. Each user has the Google Authenticator set up, and it works great.

As far as I can tell, I've properly enabled it in all the necessary locations in Untangle for MFA to be 100% enabled and working for OpenVPN.

I have updated each machine that is connecting to the latest OpenVPN Community version available. I've imported the configs.

Attempt to connect, and it comes up asking for username / password / TOTP. PERFECT! Type them all in and it connects without issue.

HERE is the problem... If I go into the OpenVPN config file and remove the TOTP line from the config ON THE CLIENT MACHINE, it STILL ALLOWS the user to connect without TOTP! This should all be handled server-side. A small client side change is all that is required to allow a malicious actor to completely bypass MFA for OVPN.

If this is expected behavior, it has essentially rendered MFA completely useless for OpenVPN. Has anyone else run into this?

**BarryDingle** · 12-16-2021, 07:40 AM

Thank you very much for the reply. I'll look into doing this. Any idea how long it'll be before it's patched?

**tcurtis** · 12-16-2021, 08:24 AM

Please do NOT make command line changes. This renders your appliance unsupported. As stated, this is an issue, but you need to ask support to do this for you, and rasmussenc can write a script for support, or for users to run. That would be supported and resolve the issue.

**sheck** · 12-16-2021, 09:12 AM

As noted by tcurtis, CLI changes are not supported, support will have a fix for the issue available, if you are using MFA with OpenVPN please contact support to have this patched accordingly.

I don't have a specific ETA at the moment, but you should see the fix available in our next release.

**BarryDingle** · 12-17-2021, 07:46 AM

The only issue here that I can think of is that if you make the change that was posted here before, would that make every user require MFA? I have one user that I cannot have MFA enabled for as it's a site-to-site connection...

**jcoffin** · 12-17-2021, 01:50 PM

Yes, it breaks site to site so we are still working on a fix.

**sky-knight** · 12-17-2021, 02:01 PM

Ewww.... I hadn't thought about that! But you're right!

Crap... That's... rough.

**BarryDingle** · 12-20-2021, 01:15 PM

Yikes is right! OK - fortunately, the one customer I have that is champing at the bit to get switched to MFA does not have any site-to-site connections, so we'll be OK on that deployment...

The deployment for my business, on the other hand, won't work until a fix has been developed that will allow site-to-site connections to be excluded from MFA.

Thread: OpenVPN MFA MAJOR bug

LinkBack

Thread Tools

OpenVPN MFA MAJOR bug

Posting Permissions