Qubes VPN 2FA (with a certificate on USB)
Configuration for Qubes-vpn-support to add support for 2FA. This specific implementation of 2FA is limited to a certificate stored on a USB stick.
The canonical URL of this project is https://git.axenhus.com/qubes-vpn-2fa-certificate/
Prerequisites
- Qubes-vpn-support installed and working.
- An USB stick with a certificate. The certificate must be encrypted with a password. The certificate must be in the root directory.
- Configuration for the VPN stored on the USB with the certificate. The file
must end in
.ovpnand be the only file matching that pattern. It must be stored in the root directory. - Username and password for the VPN.
Installation
- Copy
00-2fa-usb.confto/rw/config/qubes-vpn-handler.service.d. - Copy
prepare-vpn-usb.shto/rw/config. - Restart the ProxyVM or restart the VPN service.
Usage
When the VPN service starts an xterm prompt will appear. It will prompt for:
- A device path. Attach your USB device to the VM. Usually the script can autodetect the correct path and you can simply press enter. If it doesn't you have to manually enter the correct path.
- A key password. This is the password for the private key for the certificate.
- Username for the VPN service.
- Password for the VPN service.
Implementation notes
This is implemented by overriding some configuration for Qubes-vpn-handler. The
overriden configuration will cause Qubes-vpn-handler to run
prepare-vpn-usb.sh before the actual service is started. That script will
mount the USB device on top of /rw/config/vpn and create a RAM disk to
store the passwords in for the VPN service.
Known issues
- The VPN service appears to be failing to connect the very first time it starts, even if the correct credentials are entered. It will successfully connect once systemd automatically restarts it (usually happens after a few seconds). Patches are welcome.