Google Authenticator with OpenVPN for 2 factor auth
This post will describe how to get it working with Ubuntu 12.04. It should work with other versions along with other Linux distros. The only difference is the package names might change.
Install the packages
Run the following command
apt-get -y install openvpn libpam-google-authenticator
Place the cert key helps
mkdir /etc/openvpn/easy-rsa/ cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Then you need to edit the following file
Scroll all the way down and find the following section and change it to your needs
export KEY_COUNTRY=US export KEY_PROVINCE=NY export KEY_CITY=NewYork export KEY_ORG=”Company VPN” export KEY_EMAIL=”email@example.com”
Set the permissions
cd /etc/openvpn/easy-rsa/ sudo chown -R root:admin . sudo chmod g+w .
Source the vars file to pull in needed environment variables
Run the scripts to build your keys
./clean-all ./build-dh ./pkitool –initca ./pkitool –server server cd keys openvpn –genkey –secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
Create the following file
With the contents of
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ip link set “$DEV” up promisc on mtu “$MTU” /sbin/brctl addif $BR $DEV
Then create another file called
With the contents of
#!/bin/sh BR=$1 DEV=$2 /sbin/brctl delif $BR $DEV /sbin/ip link set “$DEV” down
Now set permissions on this files
chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Then you want to add the following to /etc/sysctl.conf
net.ipv4.ip_forward = 1
That will set it on reboot but you want to set it now run the following
echo 1 > /proc/sys/net/ipv4/ip_forward
Now setup pam to work for openvpn. Create the following file
Then put the following in
auth requisite pam\_google\_authenticator.so forward_pass auth required pam\_unix.so use\_first_pass
Now you need to edit your openvpn config. I called mine server.conf in /etc/openvpn and you want to add the following
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
Now once openvpn is started you can run the following as the user you are setting up VPN for. They will need a shell account and they can do this themselves if needed. So run the following command
Then choose the following options in this order.
``` Do you want authentication tokens to be time-based (y/n) y Do you want me to update your “/home/bla/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
You notice this command might show a QR code at the top which you can download the Google Authenticator app on your phone to scan that code and it will setup your account automatically. If it doesn’t show a QR code it will show a link that will display the code.
You can now run openvpn and connect and the username is your shell user and if you set the password to test123 and google gives you a code of 847324, your password would be test123847324