Enhance OpenVPN Experience with Seamless MFA During Network Transitions

[Niroda]

Goal
The primary objective is to refine the user experience with OpenVPN, particularly in the context of Multi-Factor Authentication (MFA). We aim to establish a more seamless transition that doesn't necessitate re-authentication when there's a change in the network environment. This enhancement is especially critical in mobile scenarios where network switches are frequent and inevitable.

Problem Statement
Currently, users face a significant challenge when their network environment changes while connected to an OpenVPN server with MFA enabled. For instance, consider a scenario where a user is connected to the VPN over a home WiFi network. As soon as the user leaves the vicinity of their WiFi and their device switches to a mobile data, the VPN connection requires re-authentication. This process does not just introduce inconvenience but often fails, leading to disruptions in connectivity and secure access.

Use Case
This issue predominantly affects mobile users who frequently transition between different networks (e.g., from WiFi to mobile data or between different WiFi networks). The need to manually re-authenticate each time not only hampers productivity but also affects the overall user experience negatively.

Proposed Solution
Using session token mechanism. When a user successfully authenticates with MFA, we generate a session token (a unique, temporary identifier) that is valid for a specific duration (would be nice to set it in the configuration). This token is then used to validate subsequent connections without requiring MFA again, as long as the token is still valid.

Potential Benefits
Implementing this feature could significantly enhance the user experience by providing a more stable and uninterrupted connection, reducing the need for technical support related to connection issues, and ensuring secure access remains consistent regardless of the network environment.

[d3vilh]

Hi @Niroda
OpenVPN-UI do supports MFA with Authenticator app, out of the box, you could try it.

[Niroda]

Hi @d3vilh
I'm aware of that! Have you read the problem statement in the feature request? The issue arises when a mobile device switches from Wi-Fi to mobile data; the VPN server requires re-authentication, necessitating a new MFA code, which results in the connection being lost. I've managed to tweak it with some scripts to track and manage sessions, but it would be great if you could implement this solution in the main repo/image and offer it as an optional feature. This way, if someone wants it, they can enable it on demand. I'm pretty sure many mobile users would greatly appreciate this feature.

This issue actually pertains to the OpenVPN server, but I accidentally opened the request here instead of in the correct repository. :(

[d3vilh]

It is fine, I just read first sentence got it was kind of AI generated and ignore the rest, (sorry, too much AI spam happening around me :) )
Yes, your suggestion is very valid. I'll check if OSS OpenVPN Server version supports this functionality. If it is - will be in one of the next releases.

[Niroda]

No problem. Everything can be done in /opt/app/bin/oath.sh.
First, we need to modify the certificate creation form:

1. An optional checkbox to indicate whether this certificate's session shall be tracked.
2. Specify how long the session should be tracked in seconds/minutes/hours/days.

Then, in /opt/app/bin/oath.sh, upon the first successful MFA authentication, we can create a session and track it for the time provided in the second option.
Once the user disconnects and reconnects, in the same file /opt/app/bin/oath.sh, before requiring the user for authentication and MFA code, we can check whether a session is present and valid. If so, just terminate the script with exit 0 to indicate the user is authenticated.

[d3vilh]

Would you like to push new changes in dev branch, or share the link patched oath.sh?
It will speedup all the development.

I did a test with 2FA functionality while driving today between provinces it is indeed may be annoying to re-auth if IP is changing dynamically.