Tunnelblick with OTP password
This article is about how you can configure Tunnelblick to automatically login into your OpenVPN server when it is required to provide an OTP password in combination with the user password.
For the OTP generation we have to save our OTP-Secret in macOS keychain so as to avoid using it in our login script as plain text.
Save OTP secret to the keychain
To save otp-secret to keychain you can use the following script
#!/bin/bashotp_pw_name="Tunnelblick-Auth-YourOpenVPN_account"
otp_pw_account="otp-secret"otp_share_secret="add-your-otp-secret-here"/usr/bin/security add-generic-password -s "$otp_pw_name" -a "$otp_pw_account" -w "$otp_share_secret"
Navigate to your Keychain locate the created password and open it
Select “Access Control”
In the “Always allow access by these applications” field, press the plus “+” button and then add “Tunnelblick” application to provide access to the otp-secret we created and “Save Changes”.
Our otp-secret is now in the Keychain and ready for use.
Create OTP generation script
Tunnelblick support different kind of scripts that can be enabled and used during user authentication.
Depending on your server config you need to select the type of the script you have to create, available options are:
- password-prepend.user.sh is executed to get a string to prepend to a password before it is passed to OpenVPN.
- password-append.user.sh is executed to get a string to be appended to a password before it is passed to OpenVPN.
Thus, if your OTP password is required before the user password you select the password-prepend.user.sh, otherwise the password-append.user.sh.
Create the shell script of your choice to /Library/Application Support/Tunnelblick/Users/<username>/YourOpenVPN_account.tblk/Contents/Resources/.
Correct the file permissions of the file to be rwxr-xr-x or 755.
chmod 755 password-*.user.shTime to add some logic to our new script file.
We need an otp password generator tool for command line usage, this is the oathtool. To install it via brew use:
brew install oath-toolkitThe script code is
#!/bin/bash
otp_pw_name="Tunnelblick-Auth-YourOpenVPN_account"
otp_pw_account="otp-secret"# Get otp-secret from keychain:
if ! otp_secret=$(/usr/bin/security find-generic-password -w -s "$otp_pw_name" -a "$otp_pw_account"); then
exit 1
fi# Generate otp code
/usr/local/bin/oathtool --totp -b -d 6 $otp_secret
Import script to configuration
Time to load new configuration changes with the created script into Tunnelblick.
Open Tunnelblick then select “Revert to the Last Secured Copy”
New configuration is ready to use. You can now use the password saving feature of Tunnelblick where you can store your static password. The generation script will run on every connect and take care the OTP password part.
