Google Authenticator and openvpn integration in Ubuntu 14.04.3 LTS

Google Authenticator and openvpn integration in Ubuntu 14.04.3 LTS

Initial setup

This post show how to set up an integration between Google Authenticator and OpenVpn. Featured image

sudo apt-get install -y openvpn libssl-dev openssl easy-rsa

sudo iptables -t nat -A POSTROUTING -s 10.80.0.0/24 -o eth0 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.conf"

cat<<EOT
#!/bin/sh
iptables-restore < /etc/iptables.conf
EOT
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

  • Copy the working server.conf file to /etc/openvpn/server.conf
  • Install libpam-google-authenticator and qrencode
sudo apt-get -y install libpam-google-authenticator qrencode
sudo mkdir /var/lib/google-authenticator

Server side adaptation

  • For configurations with local users (i.e unix users on the vpn server)
sudo cp /etc/pam.d/common-account /etc/pam.d/openvpn
echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/openvpn
  • For configurations (like ours) that does not have a local unix account for each vpn user
echo 'account required pam_permit.so' | sudo tee /etc/pam.d/openvpn
echo 'auth required pam_google_authenticator.so user=root secret=/var/lib/google-authenticator/${USER}' | sudo tee -a /etc/pam.d/openvpn
  • Openvpn configuration
echo "plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn" | sudo tee -a /etc/openvpn/server.conf
echo "reneg-sec 0" | sudo tee -a /etc/openvpn/server.conf
sudo service openvpn restart

$ grep ".so" /etc/openvpn/server.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
  • Test creating a shared secret (you will throw this away)
google-authenticator -t -D -f --window-size=3 -r 10 -R 600
  • Create a shared secret (our case, with key store in /var/lib/google-authenticator/${USER})
username=nisse
emailDomain=kmg.group
sudo google-authenticator -t -D -f -r 10 -R 600 -w 3 -s /var/lib/google-authenticator/${username} -l "${username}@${emailDomain}" -q
sudo cat /var/lib/google-authenticator/nisse | head -1 | xargs -L1 -IX qrencode -o - -t ANSI "otpauth://totp/${username}@${emailDomain}?secret=X"

Client side

  • Add the following to the standard client configuration
auth-user-pass
reneg-sec 0

References