From d8adc429f79466099a979a0c9edafa0ee694d094 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 31 Mar 2025 18:52:26 +0200
Subject: [PATCH] VPN: OpenVPN: Client Export - add "Enable static challenge
 (OTP)" option, closes https://github.com/opnsense/core/issues/8488

---
 .../controllers/OPNsense/OpenVPN/forms/export_options.xml  | 7 +++++++
 .../mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php    | 2 +-
 .../mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php      | 6 +++++-
 .../mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php     | 2 +-
 src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml    | 1 +
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
index 9f2fbea96..18516d14e 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
@@ -57,6 +57,13 @@
         <style>export_option</style>
         <help>Sets auth-nocache in the exported configuration when password authentication is used. This prevents OpenVPN from caching passwords in memory.</help>
     </field>
+    <field>
+        <id>openvpn_export.static_challenge</id>
+        <label>Enable static challenge (OTP)</label>
+        <type>checkbox</type>
+        <style>export_option</style>
+        <help>Ask the user for its one time password token separately (instead of as part the password).</help>
+    </field>
     <field>
         <id>openvpn_export.plain_config</id>
         <label>Custom config</label>
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
index fcd877a67..f84b3aadb 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
@@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN
      */
     public function supportedOptions()
     {
-        return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
+        return ["plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi", "static_challenge"];
     }
 
     /**
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
index a5cf84ee4..7d5e840b4 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
@@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
      */
     public function supportedOptions()
     {
-        return array("plain_config", "random_local_port", "auth_nocache", "cryptoapi");
+        return ["plain_config", "random_local_port", "auth_nocache", "cryptoapi", "static_challenge"];
     }
 
     /**
@@ -143,6 +143,10 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
             }
         }
 
+        if (!empty($this->config['static_challenge'])) {
+            $conf[] = sprintf('static-challenge "%s" 1', addslashes(gettext('Enter OTP token:')));
+        }
+
         if (!empty($this->config['compression'])) {
             switch ($this->config['compression']) {
                 case 'no':
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
index 7c2070ab5..505c21bdf 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
@@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN
      */
     public function supportedOptions()
     {
-        return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
+        return ["plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi", "static_challenge"];
     }
 
     /**
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
index b432d24be..56885bd5b 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
@@ -29,6 +29,7 @@
                 </validate_server_cn>
                 <cryptoapi type="BooleanField"/>
                 <auth_nocache type="BooleanField"/>
+                <static_challenge type="BooleanField"/>
                 <plain_config type="TextField"/>
             </server>
         </servers>