Google Authenticator with OpenVPN for 2 factor auth

October 9, 2012   

This post will describe how to get it working with Ubuntu 12.04. It should work with other versions along with other Linux distros. The only difference is the package names might change.

Install the packages

Run the following command

apt-get -y install openvpn libpam-google-authenticator

Setup OpenVPN

Place the cert key helps

mkdir /etc/openvpn/easy-rsa/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then you need to edit the following file


Scroll all the way down and find the following section and change it to your needs

export KEY_CITY=NewYork
export KEY_ORG=”Company VPN”
export KEY_EMAIL=””

Set the permissions

cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .

Source the vars file to pull in needed environment variables

source ./vars

Run the scripts to build your keys

./pkitool –initca
./pkitool –server server
cd keys
openvpn –genkey –secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

Create the following file


With the contents of


/sbin/ip link set “$DEV” up promisc on mtu “$MTU”
/sbin/brctl addif $BR $DEV

Then create another file called


With the contents of




/sbin/brctl delif $BR $DEV
/sbin/ip link set “$DEV” down

Now set permissions on this files

chmod +x /etc/openvpn/ /etc/openvpn/

Then you want to add the following to /etc/sysctl.conf

net.ipv4.ip_forward = 1

That will set it on reboot but you want to set it now run the following

echo 1 > /proc/sys/net/ipv4/ip_forward

Now setup pam to work for openvpn. Create the following file


Then put the following in

auth requisite pam\_google\ forward_pass
auth required pam\ use\_first_pass

Now you need to edit your openvpn config. I called mine server.conf in /etc/openvpn and you want to add the following

plugin /usr/lib/openvpn/ openvpn

Now once openvpn is started you can run the following as the user you are setting up VPN for. They will need a shell account and they can do this themselves if needed. So run the following command


Then choose the following options in this order.

``` Do you want authentication tokens to be time-based (y/n) y Do you want me to update your “/home/bla/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

You notice this command might show a QR code at the top which you can download the Google Authenticator app on your phone to scan that code and it will setup your account automatically. If it doesn’t show a QR code it will show a link that will display the code.

You can now run openvpn and connect and the username is your shell user and if you set the password to test123 and google gives you a code of 847324, your password would be test123847324

comments powered by Disqus