TOTP Dynamic Challenge

mthiele · 30 April 2025 08:06

I would like to switch from Tunnelblick to Viscosity due to the better DNS stability.

In Tunnelblick, I currently have a dynamic-challenge-response.user.sh script enabled to return a TOTP code

cp ~/path/to/config.ovpn .
vim dynamic-challenge-response.user.sh
>> /opt/homebrew/bin/oathtool --totp -b -d 6 $otp_secret

How do I implement this in Viscosity? I haven’t found anything about dynamic challenge response in the documentation. Static challenge response does not work, as the TOTP challenge is generated by the server in a second step and not part of the configuration itself.

Thanks in advance!

James · 21 May 2025 11:16

Hi mthiele,

You can make use of Viscosity’s Pre-Connection Credentials support for this. It allows you to return a challenge, which Viscosity will cache and use for a dynamic challenge (or static challenge) from the OpenVPN server. Information on how to do this can be found at:
https://www.sparklabs.com/support/kb/article/running-applescripts-when-connected-disconnected/#setting-pre-connection-credentials

It’s also possible to use OpenVPN scripts, however you’ll need to enable the “AllowOpenVPNScripts” security setting, and store your scripts in a secure location. Instructions for how to do this can be found at:
https://www.sparklabs.com/support/kb/article/preventing-network-and-dns-traffic-leaks/#preventing-network-leaks-when-a-drop-outdisconnect-occurs

Cheers,
James