I configured my openvpn server to authenticate clients with user/pass (ldap) and OTP/2FA (google authenticator). It works fine!
I have osx clients that use Tunnelblick as openvpn client and it doesn't support OTP/2FA. So I would need to use TLS private/public key authentication for them.
Can I make a single openvpn instance to authenticate users with TLS when the client send a certificate and with user/pass+OTP when the client doesn't send certificate?
Plan B is to setup two instances but if possible I would like to avoid that.
