Page MenuHomeVyOS Platform

two factor authentication for OpenVPN remote VPN tunnels
Open, WishlistPublicFEATURE REQUEST


add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.


Difficulty level
Hard (possibly days)
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Hi Alex,

Do you have links to the relevant plugins, and configuration examples?
Do you also have any ideas for the CLI?

We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:

openvpn-option "auth-user-pass-verify /config/auth/ via-file"

The LDAP auth requires these packages:

This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at
It would be nice to have this change possible via an option.

Here is a sanitised copy of the auth-ldap script. I never wrote it! Its just what we use :) It will need modifying to work

I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.


Sample test config and python script

Edit: another example

syncer lowered the priority of this task from Normal to Wishlist.Oct 13 2018, 9:56 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:59 AM
erkin set Issue type to Feature (new functionality).