diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
index 9f2fbea96..18516d14e 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
@@ -57,6 +57,13 @@
         <style>export_option</style>
         <help>Sets auth-nocache in the exported configuration when password authentication is used. This prevents OpenVPN from caching passwords in memory.</help>
     </field>
+    <field>
+        <id>openvpn_export.static_challenge</id>
+        <label>Enable static challenge (OTP)</label>
+        <type>checkbox</type>
+        <style>export_option</style>
+        <help>Ask the user for its one time password token separately (instead of as part the password).</help>
+    </field>
     <field>
         <id>openvpn_export.plain_config</id>
         <label>Custom config</label>
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
index fcd877a67..f84b3aadb 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
@@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN
      */
     public function supportedOptions()
     {
-        return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
+        return ["plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi", "static_challenge"];
     }
 
     /**
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
index a5cf84ee4..7d5e840b4 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
@@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
      */
     public function supportedOptions()
     {
-        return array("plain_config", "random_local_port", "auth_nocache", "cryptoapi");
+        return ["plain_config", "random_local_port", "auth_nocache", "cryptoapi", "static_challenge"];
     }
 
     /**
@@ -143,6 +143,10 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
             }
         }
 
+        if (!empty($this->config['static_challenge'])) {
+            $conf[] = sprintf('static-challenge "%s" 1', addslashes(gettext('Enter OTP token:')));
+        }
+
         if (!empty($this->config['compression'])) {
             switch ($this->config['compression']) {
                 case 'no':
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
index 7c2070ab5..505c21bdf 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
@@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN
      */
     public function supportedOptions()
     {
-        return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
+        return ["plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi", "static_challenge"];
     }
 
     /**
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
index b432d24be..56885bd5b 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
@@ -29,6 +29,7 @@
                 </validate_server_cn>
                 <cryptoapi type="BooleanField"/>
                 <auth_nocache type="BooleanField"/>
+                <static_challenge type="BooleanField"/>
                 <plain_config type="TextField"/>
             </server>
         </servers>