Google Authenticator with OpenVPN for 2 factor auth

This post will describe how to get it working with Ubuntu 12.04. It should work with other versions along with other Linux distros. The only difference is the package names might change.

Install the packages

Run the following command

apt-get -y install openvpn libpam-google-authenticator

Setup OpenVPN

Place the cert key helps

mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then you need to edit the following file


Scroll all the way down and find the following section and change it to your needs

export KEY_CITY=NewYork
export KEY_ORG=”Company VPN”
export KEY_EMAIL=””

Set the permissions

cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .

Source the vars file to pull in needed environment variables

source ./vars

Run the scripts to build your keys

./pkitool –initca
./pkitool –server server
cd keys
openvpn –genkey –secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

Create the following file


With the contents of



/sbin/ip link set “$DEV” up promisc on mtu “$MTU”
/sbin/brctl addif $BR $DEV

Then create another file called


With the contents of



/sbin/brctl delif $BR $DEV
/sbin/ip link set “$DEV” down

Now set permissions on this files

chmod +x /etc/openvpn/ /etc/openvpn/

Then you want to add the following to /etc/sysctl.conf

net.ipv4.ip_forward = 1

That will set it on reboot but you want to set it now run the following

echo 1 > /proc/sys/net/ipv4/ip_forward

Now setup pam to work for openvpn. Create the following file


Then put the following in

auth requisite forward_pass
auth required use_first_pass

Now you need to edit your openvpn config. I called mine server.conf in /etc/openvpn and you want to add the following

plugin /usr/lib/openvpn/ openvpn

Now once openvpn is started you can run the following as the user you are setting up VPN for. They will need a shell account and they can do this themselves if needed. So run the following command


Then choose the following options in this order.

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your “/home/bla/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

You notice this command might show a QR code at the top which you can download the Google Authenticator app on your phone to scan that code and it will setup your account automatically. If it doesn’t show a QR code it will show a link that will display the code.

You can now run openvpn and connect and the username is your shell user and if you set the password to test123 and google gives you a code of 847324, your password would be test123847324


About mike
Currently works for Recurly as a Senior Linux Admin. He has a wonderful wife Thanuja and 2 great children (Anusha and Brandon). His major side project is Photoblog.

  • Greywolf

    Hey, Mike,

    I’ve followed the directions, and I keep getting the following error on the server side while using openvpn from windows to connect, provided Username: myusername and Password: my long pass phrase###### with ###### being the Google Auth Code, and I can’t make the connection, so to speak:

    AUTH-PAM: BACKGROUND: received command code: 0
    AUTH-PAM: BACKGROUND: USER: myusername
    AUTH-PAM: BACKGROUND: my_conv[0] query=’Password & verification code: ‘ style=1
    AUTH-PAM: BACKGROUND: user ‘greywolf’ failed to authenticate: Authentication failure
    Wed Oct 17 20:40:20 2012 us=144637 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/ status=1
    Wed Oct 17 20:40:20 2012 us=144645 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/share/openvpn/plugin/lib/
    Wed Oct 17 20:40:20 2012 us=144663 TLS Auth Error: Auth Username/Password verification failed for peer

    Are you certain the password and verification code are supposed to be concatenated thus?

    • mike

      Yes the password you use is concatenated with your system password and the google auth token you are given. So one thing you can try is to remove the /etc/pam.d/openvpn file and see if you can auth with just your username/password that is the same on the system. If that works then maybe you have a ntp problem?

  • Robert Sander


    I am missing the openvpn config file for the setup. Could you please include it here? Thanks.

  • Zaheer

    Hey there,

    Great job on the write up, I attempted this and found no end change. I could still log in with just the password and my ID. the token appended to the password was rejected. I attempted to (Like many others on some forums) to comment out all the @ lines in /etc/pam.d/openvpnas but that just resulted in NO login abilities until I did it.

    Any ideas?

    • Zaheer

      I should add, I built a VM so I could replicate as best as possible your setup. Ubuntu 12.0.4 with the latest .deb i386 OpenVPN package which is 1.8.4 I believe

    • mike

      Hey.. thanks for noticing this.. I updated my post but I forgot to add in the plugin for google auth in the openvpn config. Add the following

      plugin /usr/lib/openvpn/ openvpn


      • Zaheer

        Do you mean to say add that line to : /etc/pam.d/openvpnas ?

  • AyeLLA

    Hi Mike ,

    Can we use this with Active Directory Account ?

    or have to create /add one by one user into openvpn

    Please Advise.



    • mike

      No idea, since I have never touched Active Directory.

      • al

        what about ldap ?
        can I use google authenticator along with openvpn’s plugin openvpn-auth-ldap, so the authentication will take place on the ldap but google authenticator does the two-factor ?

        • mike

          Yes I don’t see that as a problem.. You should be able to hook into the ldap pam and auth there if needed. I have to do this for PCI compliance soon so if you keep an eye on my blog you will have your answer if you can’t figure it out

          • al

            that would be nice!

  • Randall

    Nice just have to convert it to centos and ready to go.

  • greenkev

    Hello Mike,

    Do you know how to configure google-authenticator with openvpn AND FREERADIUS ?

    Thanks in advance.


    • mike

      not sure it’ll work like you hope since the radius plug doesn’t use pam at all.

  • Eric

    Thanks a lot Mike! I was just using ldap accounts + google authenticator password.

    I had to use your approach to be compliant with security standards. Quick and easy change.


  • john H

    Hello Eric,

    Could you share how you were able to hook up LDAP accounts with Google Authenticator. It will be much appreciated. Thanks.