Bind OTP to a certificate and/or a keys for a specific client

[devng]

So I am a no expert on OpenVPN I just followed this nice tutorial to set my VPN https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 and then added OTP support via your plugin. Everything works great. However, I have notice one issue. I would like to use an OTP only on a certain key or certificate for a given client, currently the configuration in otp-secrets is kind of global and can unlock every key and certificate for a given client. Here is an example of what i mean:

Lets say we want to have 2 users on our VPN called of course Alice and Bob. So we generate a certificate for each of them and we distribute alice.crt and alice.key to Alice and give bob.crt and bob.key to Bob. Then we crate an OTP entry for Bob and Alice in otp-secrets and they can login with their TOTPs using Google Authenticator. Great. However, if for some reason Alice gets a hold of bob.crt and bob.key she can still use her TOTP and not Bob's one to authenticate. So IMHO this is an issue and the TOTP secret in the otp-secrets file should only be bound to a certificate and a key. Or at least we should be able to specify for which user in the otp-secrets which certificates are available.

[devng]

I found a workaround by using this approach described here https://serverfault.com/questions/358855/how-to-prevent-users-from-sharing-certificates-in-openvpn, thus I give users a certificate with a common name as their username. This limits the users to have only one certificate, which is fine for me, but i think it will be nice if this plugin supports it out of the box.

[stefjakobs]

+1 (and thanks for sharing the workaround)

[evgeny-gridasov]

I'll have some time next week and will see what I can do about this one.

[evgeny-gridasov]

devng, Do you want to document this and include in readme.md? I'll accept a pull request from you.