Page MenuHomeVyOS Platform

two factor authentication for OpenVPN remote VPN tunnels
Open, WishlistPublicFEATURE REQUEST


add option on VyOS to authenticate using LDAP or RADIUS or Active Directory while connecting remotely via OpenVPN client. A desired feature of the functionality would be sustainability of the option with respect to image upgrades/updates.


Difficulty level
Hard (possibly days)

Event Timeline

Hi Alex,

Do you have links to the relevant plugins, and configuration examples?
Do you also have any ideas for the CLI?

jhendryUK added a subscriber: jhendryUK.EditedNov 10 2016, 10:24 AM

We do this a lot, having certificate + user auth for OpenVPN. Using this open VPN option, a custom auth script and extra packages:

openvpn-option "auth-user-pass-verify /config/auth/ via-file"

The LDAP auth requires these packages:

This is different but might be a little related - FoxPass publishes a one-line tweak to VyOS 1.0 to let them support two-factor authentication for IPSec VPN at
It would be nice to have this change possible via an option.

Here is a sanitised copy of the auth-ldap script. I never wrote it! Its just what we use :) It will need modifying to work

fatihusta added a subscriber: fatihusta.EditedNov 14 2016, 4:44 PM

I think maybe we use openvpn dynamic challenge respons function for two factor auth.
Sms, email. etc.


Sample test config and python script

Edit: another example

syncer edited subscribers, added: VyOS 1.2 Crux; removed: jhendryUK, VyOS 1.1.x (1.1.8).
dmbaturin moved this task from Need Triage to Wishlist on the VyOS 1.2 Crux board.May 24 2018, 6:17 PM
syncer lowered the priority of this task from Normal to Wishlist.Oct 13 2018, 9:56 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 19 2018, 9:14 AM
pasik added a subscriber: pasik.Mar 8 2019, 10:20 PM