From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 2 Dec 2025 16:20:46 +0000 (+0100)
Subject: ovpnmain.cgi: Push auth-token only to clients that use OTP
X-Git-Tag: v2.29-core200~172
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c3936b58dd71806c561d38ff326af732fcae54dd;p=ipfire-2.x.git

ovpnmain.cgi: Push auth-token only to clients that use OTP

This is mainly a cosmetic change as some clients complain about
importing this option as it is supposed to be "push-only".

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 435026c02..dd4f98246 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -627,6 +627,11 @@ sub write_ccd_configs() {
 		# Write a header
 		print CONF "# OpenVPN Client Configuration File\n\n";
 
+		# Push the auth-token if the client is using OTP
+		if ($conns{$key}[43] eq 'on') {
+			print CONF "push \"auth-token TOTP\"\n\n";
+		}
+
 		# Fetch the allocated IP address (if any)
 		my $pool    = $conns{$key}[32];
 		my $address = $conns{$key}[33];
@@ -2465,7 +2470,6 @@ END
 		# Set a fake user name for authentication
 		print "auth-user-pass\n";
 		print "auth-token-user USER\n";
-		print "auth-token TOTP\n";
 
 		# If the server is asking for TOTP this needs to happen interactively
 		print "auth-retry interact\n";