Google Authenticator with OpenVPN for 2 factor auth
This post will describe how to get it working with Ubuntu 12.04. It should work with other versions along with other Linux distros. The only difference is the package names might change.
Install the packages
Run the following command
apt-get -y install openvpn libpam-google-authenticator
Setup OpenVPN
Place the cert key helps
mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Then you need to edit the following file
/etc/openvpn/easy-rsa/vars
Scroll all the way down and find the following section and change it to your needs
export KEY_COUNTRY=US
export KEY_PROVINCE=NY
export KEY_CITY=NewYork
export KEY_ORG=”Company VPN”
export KEY_EMAIL=”sysops@company.com”
Set the permissions
cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .
Source the vars file to pull in needed environment variables
source ./vars
Run the scripts to build your keys
./clean-all
./build-dh
./pkitool –initca
./pkitool –server server
cd keys
openvpn –genkey –secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
Create the following file
/etc/openvpn/up.sh
With the contents of
#!/bin/sh
BR=$1
DEV=$2
MTU=$3/sbin/ip link set “$DEV” up promisc on mtu “$MTU”
/sbin/brctl addif $BR $DEV
Then create another file called
/etc/openvpn/down.sh
With the contents of
#!/bin/sh
BR=$1
DEV=$2/sbin/brctl delif $BR $DEV
/sbin/ip link set “$DEV” down
Now set permissions on this files
chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Then you want to add the following to /etc/sysctl.conf
net.ipv4.ip_forward = 1
That will set it on reboot but you want to set it now run the following
echo 1 > /proc/sys/net/ipv4/ip_forward
Now setup pam to work for openvpn. Create the following file
/etc/pam.d/openvpn
Then put the following in
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
Now you need to edit your openvpn config. I called mine server.conf in /etc/openvpn and you want to add the following
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
Now once openvpn is started you can run the following as the user you are setting up VPN for. They will need a shell account and they can do this themselves if needed. So run the following command
google-authenticator
Then choose the following options in this order.
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your “/home/bla/.google_authenticator” file (y/n) yDo you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) yBy default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) yIf the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
You notice this command might show a QR code at the top which you can download the Google Authenticator app on your phone to scan that code and it will setup your account automatically. If it doesn’t show a QR code it will show a link that will display the code.
You can now run openvpn and connect and the username is your shell user and if you set the password to test123 and google gives you a code of 847324, your password would be test123847324
About mike
Hey, Mike,
I’ve followed the directions, and I keep getting the following error on the server side while using openvpn from windows to connect, provided Username: myusername and Password: my long pass phrase###### with ###### being the Google Auth Code, and I can’t make the connection, so to speak:
…
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: myusername
AUTH-PAM: BACKGROUND: my_conv[0] query=’Password & verification code: ‘ style=1
AUTH-PAM: BACKGROUND: user ‘greywolf’ failed to authenticate: Authentication failure
Wed Oct 17 20:40:20 2012 us=144637 aa.bb.cc.dd:55572 PLUGIN_CALL: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 17 20:40:20 2012 us=144645 aa.bb.cc.dd:55572 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Oct 17 20:40:20 2012 us=144663 aa.bb.cc.dd:55572 TLS Auth Error: Auth Username/Password verification failed for peer
…
Are you certain the password and verification code are supposed to be concatenated thus?
Yes the password you use is concatenated with your system password and the google auth token you are given. So one thing you can try is to remove the /etc/pam.d/openvpn file and see if you can auth with just your username/password that is the same on the system. If that works then maybe you have a ntp problem?
Hi,
I am missing the openvpn config file for the setup. Could you please include it here? Thanks.
Hey there,
Great job on the write up, I attempted this and found no end change. I could still log in with just the password and my ID. the token appended to the password was rejected. I attempted to (Like many others on some forums) to comment out all the @ lines in /etc/pam.d/openvpnas but that just resulted in NO login abilities until I did it.
Any ideas?
I should add, I built a VM so I could replicate as best as possible your setup. Ubuntu 12.0.4 with the latest .deb i386 OpenVPN package which is 1.8.4 I believe
Hey.. thanks for noticing this.. I updated my post but I forgot to add in the plugin for google auth in the openvpn config. Add the following
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
Thanks!
Do you mean to say add that line to : /etc/pam.d/openvpnas ?