Google Authenticator and openvpn integration in Ubuntu 14.04.3 LTS

Google Authenticator and openvpn integration in Ubuntu 14.04.3 LTS

Initial setup

This post show how to set up an integration between Google Authenticator and OpenVpn. Featured image

sudo apt-get install -y openvpn libssl-dev openssl easy-rsa

sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.conf"

iptables-restore < /etc/iptables.conf
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

  • Copy the working server.conf file to /etc/openvpn/server.conf
  • Install libpam-google-authenticator and qrencode
sudo apt-get -y install libpam-google-authenticator qrencode
sudo mkdir /var/lib/google-authenticator

Server side adaptation

  • For configurations with local users (i.e unix users on the vpn server)
sudo cp /etc/pam.d/common-account /etc/pam.d/openvpn
echo "auth required" | sudo tee -a /etc/pam.d/openvpn
  • For configurations (like ours) that does not have a local unix account for each vpn user
echo 'account required' | sudo tee /etc/pam.d/openvpn
echo 'auth required user=root secret=/var/lib/google-authenticator/${USER}' | sudo tee -a /etc/pam.d/openvpn
  • Openvpn configuration
echo "plugin /usr/lib/openvpn/ openvpn" | sudo tee -a /etc/openvpn/server.conf
echo "reneg-sec 0" | sudo tee -a /etc/openvpn/server.conf
sudo service openvpn restart

$ grep ".so" /etc/openvpn/server.conf
plugin /usr/lib/openvpn/ openvpn
  • Test creating a shared secret (you will throw this away)
google-authenticator -t -D -f --window-size=3 -r 10 -R 600
  • Create a shared secret (our case, with key store in /var/lib/google-authenticator/${USER})
sudo google-authenticator -t -D -f -r 10 -R 600 -w 3 -s /var/lib/google-authenticator/${username} -l "${username}@${emailDomain}" -q
sudo cat /var/lib/google-authenticator/nisse | head -1 | xargs -L1 -IX qrencode -o - -t ANSI "otpauth://totp/${username}@${emailDomain}?secret=X"

Client side

  • Add the following to the standard client configuration
reneg-sec 0