Automating OpenVPN login with OTP

In order to give some headaches to IT support & security guys I am going to tell you how you can automate VPN logins even if your company is use OTP in order to improve security (at the expense of UX).

Disclaimer: Following instructions from this document may be against your company security policy, so whatever you do, don’t contact me if you get into trouble.

Here are the few steps that you need to cover:

  • obtain the OTP secret
  • install oathtool
  • write a shell script that saves credentials to a file
  • create two AppleScripts: one to be called
  • Configure Viscosity to used these

OTP tokens can be of two types: time based or event based so here are few what you need is to read. You need to extract the secret key from the OTP url which looks like `otpauth://totp/example.com/user?issuer=example&secret=wwflwwrruwww`. In fact that’s the entire content of the QR codes used to configure OTP clients.

The trick is that most OTP clients will not allow you to extract the secret key once you configure them but if you made a screenshot of the QR code you can decode it. One exception that I am aware about is 1Password which allows you to access the secret url.

So now lets create a simple bash script that saves your temporary credentials in a file. First line should contain your VPN username and the second one should contain the password which is formed of the static part (also called PIN) and the OTP part after it. Keep in mind that this password is valid for no more than 30 seconds.

#!/bin/bash
echo -e “johnd\nmysecret$(/usr/local/bin/oathtool — totp -b XYZ…..)” > ~/.cache/.ovpn-tmp
chmod 600 ~/.cache/.ovpn-tmp

After saving this file to disk don’t forget to do

chmod +x /Users/johnd/bin/vpn-prepare

Now we need to create an AppleScript that executes this script before each connection. Open Script Editor and create a new file which should look like:

do shell script “/Users/johnd/bin/vpn-prepare”

Now you can open Viscosity > Preferences > Connections > Edit profile > Advanced > Before Connect Script > pick the shell script that you just created.

Inside the same window also add this custom command

auth-user-pass /Users/johnd/.cache/.ovpn-tmp

Also you want to go enable “unsafe commands” on Viscosity Advances settings. It is called unsafe because is running a command before establishing the network connection, so someone could take advantage of this.

Try to connect now! It should work. If not try to check the logs.

One last note that should make security guys a little bit less worried: instead of keeping the OTP seed data on the same machine you could put it on another machine and use ssh or https to get the temporary token, or at least to keep them on an encrypted USB stick.

Sorin Ionuț Sbârnea

Written by

Coding for f(ood|un)…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade