Static challenge script

[patric...@gmail.com]

Hi I am struggling with the documentation around static-challenge-response.user.sh. 

I am able to get connected.sh working by placing it in the Contents/Resources/ Folder with the *.ovpn. I have tried placing the static-challenge-response.user.sh in the same location with no luck. I tried using the follow config in my ovpn but it did not work:

static-challenge "Enter Google Authenticator Code" static-challenge-response.user.sh

Please  can someone guide where to place the script so it gets executed when the static challenge presents itself to the user.

I am using Tunnelblick 3.7.7 (build 5150)

Thank you

[Tunnelblick developer]

Your script is in the correct place, and is correctly named.

However, the second parameter of OpenVPN's static-challenge option is not the name of the script. It is either 0 or 1. This is described on Tunnelblick's Multi-factor and Two-factor Authentication page:

Static challenge/response authentication is done using scripts on the OpenVPN server combined with a '--static-challenge' option in the OpenVPN client's configuration file.

 

The --static-challenge option should be included in the client OpenVPN configuration file as

static-challenge  <text>  <echo>

where <text> is the text that is presented to the user, and <echo> is 0 to indicate that the user's response should not be echoed, or 1 to indicate the user's response should be echoed. (The <text> should be quoted if it contains spaces or other special characters.)

and on the OpenVPN 2.4 man page:

--static-challenge t e

Enable static challenge/response protocol using challenge text t, with echo flag given by e (0|1).

The echo flag indicates whether or not the user's response to the challenge should be echoed.

See management-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol.

So you should change the line in your configuration file to be

static-challenge  "Enter Google Authenticator Code"  1

Why you don't specify the script filename or path

When OpenVPN sees the --static-challenge option, it instructs Tunnelblick to present the static challenge (text "t") to the user. Tunnelblick interprets that as

• If the static-challenge-client.sh script exists in the configuration, run that script and send the output from that script back to OpenVPN,
  
  
• Otherwise, present the challenge to the user and send the user's response back to OpenVPN.
  

So it is simply Tunnelblick's convention to allow a script (with the specified name and location). Other OpenVPN GUIs may not provide similar functionality.

[patric...@gmail.com]

Thank you.

I have correct the config in my ovpn however the static-challenge file is not being executed. I am attempting to automatically pass my TOTP back to tunnelblick with no luck. I can confirm that oathtool outputs the correct code. I get to the static challenge window which I shouldnt expect to see when I have a static challenge file in my config.

I believe the static-challenge-response.user.sh is not being executed as I added some extra commands to write to my /tmp and nothing has appeared. What can I do to prove the file is being executed when the static challenge occurs?

[Tunnelblick developer]

Please post the diagnostic info obtained by following the instructions at Read Before You Post (https://tunnelblick.net/cBeforeYouPost.html).