I have a working OpenVPN system on Ubuntu 12.04 and I'd like to add Google Authenticator for extra security.
This is my current openvpn config:
dev tun proto udp port 1096 ca ubuserv04-ca.crt cert ubuserv04.crt key ubuserv04.key dh dh1024.pem server 10.10.0.0 255.255.255.0 push "redirect-gateway def1" push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" float log-append /var/log/openvpn-otp-1096-status.log
(This is just a test setup, I know I should change certain aspects of it but this works for now.)
On the client I have:
dev tun client proto udp remote my.server.fqdn 1096 resolv-retry infinite ca ubuserv04-ca.crt cert user1.crt key user1.key verb 3
The above setup works fine: no errors, fast, stable.
I've tried several howtos to get Google Authenticator running but I end up troubleshooting side problems in those articles every time. I don't want to authenticate against the server's local user/password database, just the system I already have in place plus Google Authenticator.
I have Google Authenticator running; I installed it using apt-get install libpam-google-authenticator and have used it before to authenticate ssh sessions. That worked fine but I have now disabled that because it's just a test server and that particular test was finished.
Please be specific. I know I should add a plugin to my server's ovpn config and that I should add something to /etc/pam.d/openvpn but what exactly?
Any help would be greatly appreciated!
/extra info
I've followed this article: http://www.howtoforge.com/securing-openvpn-with-a-one-time-password-otp-on-ubuntu
Instead of compiling from the source I've installed Google Authenticator with apt-get install libpam-google-authenticator.
I've also read, but not used in this case, these articles: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ and http://zcentric.com/2012/10/09/google-authenticator-with-openvpn-for-2-factor-auth/. And I've read up on PAM, as suggested 😉
Now, here are some interesting developmens.
/etc/pam.d/openvpn has this:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so auth required pam_google_authenticator.so
As per the howto I copied the original from /etc/pam.d/common-account and added the last line.
Now if I comment the last line out, the OpenVPN connection succeeds. If the last line is not commented out however, /var/log/auth.log logs this:
PAM unable to dlopen(pam_google_authenticator.so): /lib/security/pam_google_authenticator.so: undefined symbol: pam_get_item PAM adding faulty module: pam_google_authenticator.so
and /var/log/openvpn-otp-1096.log logs this:
PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so TLS Auth Error: Auth Username/Password verification failed for peer e-using SSL/TLS context AUTH-PAM: BACKGROUND: user 'martin' failed to authenticate: Module is unknown
The problem seems to be between PAM and Google Authenticator.
Google lists problems with other plugins but I can't really find information regarding Google Authenticator specifically.
Best Answer
Ok, Google is my friend.
I did this:
Add this to Makefile, right after the license:
Then
Also, make sure /home/username/.google_authenticator has no rights at all except read rights for the user that's going to use it.
Now I need to enter my username that's my local username on the server (my shell account) as my OpenVPN username and the Google Authenticator 6-digit code as the password.
Now it works.
Thank you all for your time :)
(How can I mark this post as solved? Do I just edit the topic title?)