Google Authenticator with OpenVPN for 2 factor auth

This post will describe how to get it working with Ubuntu 12.04. It should work with other versions along with other Linux distros. The only difference is the package names might change.

Install the packages

Run the following command

apt-get -y install openvpn libpam-google-authenticator

Setup OpenVPN

Place the cert key helps

mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then you need to edit the following file

/etc/openvpn/easy-rsa/vars

Scroll all the way down and find the following section and change it to your needs

export KEY_COUNTRY=US
export KEY_PROVINCE=NY
export KEY_CITY=NewYork
export KEY_ORG=”Company VPN”
export KEY_EMAIL=”sysops@company.com”

Set the permissions

cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .

Source the vars file to pull in needed environment variables

source ./vars

Run the scripts to build your keys

./clean-all
./build-dh
./pkitool –initca
./pkitool –server server
cd keys
openvpn –genkey –secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

Create the following file

/etc/openvpn/up.sh

With the contents of

#!/bin/sh

BR=$1
DEV=$2
MTU=$3

/sbin/ip link set “$DEV” up promisc on mtu “$MTU”
/sbin/brctl addif $BR $DEV

Then create another file called

/etc/openvpn/down.sh

With the contents of

#!/bin/sh

BR=$1
DEV=$2

/sbin/brctl delif $BR $DEV
/sbin/ip link set “$DEV” down

Now set permissions on this files

chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

Then you want to add the following to /etc/sysctl.conf

net.ipv4.ip_forward = 1

That will set it on reboot but you want to set it now run the following

echo 1 > /proc/sys/net/ipv4/ip_forward

Now setup pam to work for openvpn. Create the following file

/etc/pam.d/openvpn

Then put the following in

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

Now you need to edit your openvpn config. I called mine server.conf in /etc/openvpn and you want to add the following

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

Now once openvpn is started you can run the following as the user you are setting up VPN for. They will need a shell account and they can do this themselves if needed. So run the following command

google-authenticator

Then choose the following options in this order.

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your “/home/bla/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

You notice this command might show a QR code at the top which you can download the Google Authenticator app on your phone to scan that code and it will setup your account automatically. If it doesn’t show a QR code it will show a link that will display the code.

You can now run openvpn and connect and the username is your shell user and if you set the password to test123 and google gives you a code of 847324, your password would be test123847324

 

About mike
Currently works for Recurly as a Senior Linux Admin. He has a wonderful wife Thanuja and 2 great children (Anusha and Brandon). His major side project is Photoblog.

Comments

16 Responses to “Google Authenticator with OpenVPN for 2 factor auth”
  1. Greywolf says:

    Hey, Mike,

    I’ve followed the directions, and I keep getting the following error on the server side while using openvpn from windows to connect, provided Username: myusername and Password: my long pass phrase###### with ###### being the Google Auth Code, and I can’t make the connection, so to speak:


    AUTH-PAM: BACKGROUND: received command code: 0
    AUTH-PAM: BACKGROUND: USER: myusername
    AUTH-PAM: BACKGROUND: my_conv[0] query=’Password & verification code: ‘ style=1
    AUTH-PAM: BACKGROUND: user ‘greywolf’ failed to authenticate: Authentication failure
    Wed Oct 17 20:40:20 2012 us=144637 aa.bb.cc.dd:55572 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
    Wed Oct 17 20:40:20 2012 us=144645 aa.bb.cc.dd:55572 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
    Wed Oct 17 20:40:20 2012 us=144663 aa.bb.cc.dd:55572 TLS Auth Error: Auth Username/Password verification failed for peer

    Are you certain the password and verification code are supposed to be concatenated thus?

    • mike says:

      Yes the password you use is concatenated with your system password and the google auth token you are given. So one thing you can try is to remove the /etc/pam.d/openvpn file and see if you can auth with just your username/password that is the same on the system. If that works then maybe you have a ntp problem?

  2. Robert Sander says:

    Hi,

    I am missing the openvpn config file for the setup. Could you please include it here? Thanks.

  3. Zaheer says:

    Hey there,

    Great job on the write up, I attempted this and found no end change. I could still log in with just the password and my ID. the token appended to the password was rejected. I attempted to (Like many others on some forums) to comment out all the @ lines in /etc/pam.d/openvpnas but that just resulted in NO login abilities until I did it.

    Any ideas?

    • Zaheer says:

      I should add, I built a VM so I could replicate as best as possible your setup. Ubuntu 12.0.4 with the latest .deb i386 OpenVPN package which is 1.8.4 I believe

    • mike says:

      Hey.. thanks for noticing this.. I updated my post but I forgot to add in the plugin for google auth in the openvpn config. Add the following

      plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

      Thanks!

  4. AyeLLA says:

    Hi Mike ,

    Can we use this with Active Directory Account ?

    or have to create /add one by one user into openvpn

    Please Advise.

    Regards,

    Ayella

  5. Randall says:

    Nice just have to convert it to centos and ready to go.

  6. greenkev says:

    Hello Mike,

    Do you know how to configure google-authenticator with openvpn AND FREERADIUS ?

    Thanks in advance.

    greenkev

  7. Eric says:

    Thanks a lot Mike! I was just using ldap accounts + google authenticator password.

    I had to use your approach to be compliant with security standards. Quick and easy change.

    Cheers!

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

css.php