Page MenuHomeVyOS Platform

two factor authentication for OpenVPN remote VPN tunnels
Needs testing, WishlistPublicFEATURE REQUEST


add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.


Difficulty level
Hard (possibly days)
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Hi Alex,

Do you have links to the relevant plugins, and configuration examples?
Do you also have any ideas for the CLI?

We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:

openvpn-option "auth-user-pass-verify /config/auth/ via-file"

The LDAP auth requires these packages:

This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at
It would be nice to have this change possible via an option.

Here is a sanitised copy of the auth-ldap script. I never wrote it! Its just what we use :) It will need modifying to work

I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.


Sample test config and python script

Edit: another example

syncer lowered the priority of this task from Normal to Wishlist.Oct 13 2018, 9:56 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:59 AM
erkin set Issue type to Feature (new functionality).
Viacheslav added subscribers: ordex, Viacheslav.

@ordex Les us know if you have some ideas

Viacheslav changed the task status from Open to Needs testing.EditedJan 10 2024, 1:29 PM

It seems we already have mfa T3834 but it never was documented

vyos@r4# set interfaces openvpn vtun0 server mfa totp 
Possible completions:
   challenge            Expect password as result of a challenge response protocol
                        (default: enable)
   digits               Number of digits to use for totp hash (default: 6)
   drift                Time drift in seconds (default: 0)
   slop                 Maximum allowed clock slop in seconds (default: 180)
   step                 Step value for totp in seconds (default: 30)

LDAP described there

Viacheslav added a subscriber: UnicronNL.