Google Authenticator and openvpn integration in Ubuntu 14.04.3 LTS


Initial setup

This post show how to set up an integration between Google Authenticator and OpenVpn.

sudo apt-get install -y openvpn libssl-dev openssl easy-rsa

sudo iptables -t nat -A POSTROUTING -s 10.80.0.0/24 -o eth0 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.conf"

cat<<EOT
#!/bin/sh
iptables-restore < /etc/iptables.conf
EOT
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
  • Copy the working server.conf file to /etc/openvpn/server.conf
  • Install libpam-google-authenticator and qrencode
sudo apt-get -y install libpam-google-authenticator qrencode
sudo mkdir /var/lib/google-authenticator

Server side adaptation

  • For configurations with local users (i.e unix users on the vpn server)
sudo cp /etc/pam.d/common-account /etc/pam.d/openvpn
echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/openvpn
  • For configurations (like ours) that does not have a local unix account for each vpn user
echo 'account required pam_permit.so' | sudo tee /etc/pam.d/openvpn
echo 'auth required pam_google_authenticator.so user=root secret=/var/lib/google-authenticator/${USER}' | sudo tee -a /etc/pam.d/openvpn
  • Openvpn configuration
echo "plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn" | sudo tee -a /etc/openvpn/server.conf
echo "reneg-sec 0" | sudo tee -a /etc/openvpn/server.conf
sudo service openvpn restart

 

$ grep ".so" /etc/openvpn/server.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
  • Test creating a shared secret (you will throw this away)
google-authenticator -t -D -f --window-size=3 -r 10 -R 600
  • Create a shared secret (our case, with key store in /var/lib/google-authenticator/${USER})
username=nisse
emailDomain=kmg.group
sudo google-authenticator -t -D -f -r 10 -R 600 -w 3 -s /var/lib/google-authenticator/${username} -l "${username}@${emailDomain}" -q
sudo cat /var/lib/google-authenticator/nisse | head -1 | xargs -L1 -IX qrencode -o - -t ANSI "otpauth://totp/${username}@${emailDomain}?secret=X"

Client side

  • Add the following to the standard client configuration
auth-user-pass
reneg-sec 0

References

Related Posts