This tiny helper tool makes it possible to use WatchGuard / Firebox / <> VPNs that use multi-factor authentication with OpenVPN. It supports the Watchguard Authpoint App or SMS as multi-factor.
Rather than using OpenVPN's built-in dynamic challenge/response protocol, WatchGuard
has opted for a separate implementation negotiating credentials outside of the
OpenVPN protocol, which makes it impossible to start those connections solely by
using the openvpn
CLI and configuration files.
What this application does has been reverse-engineered from the "WatchGuard Mobile VPN with SSL" application on OS X.
Tazjin published a blog post describing the process and what is actually going on in this protocol.
Make sure you have Go installed and GOPATH
configured, then simply:
go install github.com/cgroschupp/watchblob@main
Right now the usage is very simple. Make sure you have the correct OpenVPN client config ready (this is normally supplied by the WatchGuard UI) simply run:
watchblob --host vpnserver.somedomain.org --username username --password p4ssw0rd
NAME:
watchblob - 2-factor WatchGuard VPNs with OpenVPN
USAGE:
watchblob [global options] command [command options] [arguments...]
COMMANDS:
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--username value Username
--password value Password
--password-stdin take the password from stdin (default: false)
--token value token that is used to answer the challenge
--host value Watchguard fqdn
--debug enable debug output (default: false)
--insecure allow insecure ssl connection to watchguard (default: false)
--help, -h show help
The server responds with a challenge which is displayed to the user, wait until you
receive the SMS code or whatever and enter it. watchblob
then completes the
credential negotiation and you may proceed to log in with OpenVPN using your username
and the OTP token (not your password) as credentials.