We have a standard vanilla deployment of OpenVPN. One of our users recently switched phones, and while his Google Authenticator app was transferred across and the code is still visible, it no longer functions with OpenVPN.
We only need to scan the QR code to add OpenVPN to the Google Authenticator app, I reasoned, and he’ll be back online in no time. Wrong.
There doesn’t appear to be a method to display the original QR code once the user is up and running because Authenticator is bound to the device and continues to believe it is ready for action.
So, the user account within OpenVPN needs authentication reset. This reset process tells OpenVPN to display a new QR code, and the app can then be configured correctly.
To complete this process, SSH into the OpenVPN server, then type the following, replacing <USERNAME> with the user’s login id that you wish to reset.
cd /usr/local/openvpn_as/scripts/ sudo ./sacli --user <USERNAME> GoogleAuthRegen