OpenVPN Community + 2FA with Google Authenticator

Background

Linux vpn 4.18.0-348.12.2.el8_5.x86_64Rocky Linux release 8.5 (Green Obsidian)
vi /etc/selinux/config
SELINUX=disabled
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.24.0 255.255.255.0
management 127.0.0.1 5555
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_k5gM8Kannu0RXqvW.crt
key server_k5gM8Kannu0RXqvW.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
dh none
ecdh-curve prime256v1
client-config-dir /etc/openvpn/ccd
duplicate-cn
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"push "dhcp-option DOMAIN mycompany.corp"push "dhcp-option DNS 10.1.2.3"
push "route 120.20.30.40 255.255.255.255" # web servers
# OpenVPN 2FA PAMaccount required pam_unix.so
auth required pam_unix.so
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
auth requisite /usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin
your file should match this
root@vpn:/opt/openvpn> ./manage.sh create fred
./manage.sh status
root@vpn:openvpn $ ./manage.sh status
V 240627133623Z AV376CP7EYT22A18F7F369DF0F1DD700 unknown /CN=fred
./manage.sh revoke fred
users can save these in keychain, so they wont get prompted again
auth-user-pass client.pass
askpass client.priv
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre
jsmith
xverDF8@9df:!
xverDF8@9df:!
cd ~/vpn/
sudo openvpn --config jsmith.ovpn
Tue Apr 26 09:51:04 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Tue Apr 26 09:51:04 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
CHALLENGE: Enter 2FA Authenticator code:

Troubleshooting

auth requisite /usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin
yum install pamtesterpamtester openvpn <username> authenticate
auth requisite /usr/lib64/security/pam_google_authenticator.so secret=/opt/openvpn/google-auth/${USER} user=root authtok_prompt=pin debug forward_pass
account required pam_permit.so debug

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store