Hey Guys,
i was wondering if it is possible to use OTP (Google Authenticator etc.) as an additional authentication method for OpenVPN Roadwarrior connections. I had a look into the wiki but the Link βAuthentication methodsβ sends me to the proxy authentication configuration.
Thanks for your feedback 
Steffen
Currently that is not possible. Sorry.
Hi all,
you are right, there has been gone something wrong while converting the old wiki to the new, according to the authentication possibilities for OpenVPN, in here β wiki.ipfire.org - The auth-pam.so plugin you can find some infos to the auth-pam plugin.
In the already linked location, a LDAP wiki β wiki.ipfire.org - OpenVPN LDAP Auth can also be found.
Will fix this in the next time.
According OTP, do you have a favourite ?
Best,
Erik
Hello Erik,
thank you for your feedback my favourite would be the Google Authenticator.
Thank you for the links i will have a look on.
Greetings
Steffen
Hi Steffen,
have build google-authenticator-1.02 now. A first try looks like this:
$ /usr/bin/google-authenticator -h
google-authenticator [<options>]
-h, --help Print this message
-c, --counter-based Set up counter-based (HOTP) verification
-t, --time-based Set up time-based (TOTP) verification
-d, --disallow-reuse Disallow reuse of previously used TOTP tokens
-D, --allow-reuse Allow reuse of previously used TOTP tokens
-f, --force Write file without first confirming with user
-l, --label=<label> Override the default label in "otpauth://" URL
-i, --issuer=<issuer> Override the default issuer in "otpauth://" URL
-q, --quiet Quiet mode
-Q, --qr-mode={NONE,ANSI,UTF8}
-r, --rate-limit=N Limit logins to N per every M seconds
-R, --rate-time=M Limit logins to N per every M seconds
-u, --no-rate-limit Disable rate-limiting
-s, --secret=<file> Specify a non-standard file location
-S, --step-size=S Set interval between token refreshes
-w, --window-size=W Set window of concurrently valid codes
-W, --minimal-window Disable window of concurrently valid codes
$ /usr/bin/google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@ipfire-server.local%3Fsecret%3D2IQEPLVMILXAEWJY6QOKIMYFZU%26issuer%3Dipfire-server.local
Your new secret key is: 2IQEPLVMILXAEWJY6QOKIMYFZU
Your verification code is 671951
Your emergency scratch codes are:
21370559
80397018
84643833
31637358
36135594
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
$ cat /root/.google_authenticator
2IQEPLVMILXAEWJY6QOKIMYFZU
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
21370559
80397018
84643833
31637358
36135594
which seems to be functional. If you want to give it a try, you can find the IPFire package in here --> https://people.ipfire.org/~ummeegge/google-authenticator/ .
Since i am currently no in this topic you may have some more infos on how to find a good setup for this.
EDIT: Have seen that libqrencode3 is also needed. Will build it but this take a little time.
Best,
Erik
Wow awesome. I will have a try when libqrencode3 is build. Thank you very much for your work
Hey Erik,
I just had a look in the package and i would need the libpam-google-authenticator for otp authentication. Would it be possible to build that?
Greetings
Steffen
Hi Steffen,
i think the name differs on distribution. In here --> https://github.com/google/google-authenticator-libpam/issues/116 e.g. the .so calls also βpam_google_authenticator.soβ β¦ Compiled it like described in here --> https://github.com/google/google-authenticator/wiki/PAM-Module-Instructions --> https://velenux.wordpress.com/2019/03/12/openvpn-with-google-2-factor-authentication-on-centos-7/ and get the .so in that name. If you have other building instructions/howtos just post them.
Have nevertheless found a newer version 1.08, thinking also about to add an own group/user for google-authenticator like in here --> https://medium.com/we-have-all-been-there/using-google-authenticator-mfa-with-openvpn-on-ubuntu-16-04-774e4acc2852 .
Some other ideas are:
A downside to the OTP authentication is what i have seen so far, the reneg-sec 3600 (rekeying) was mostly disabled.
Some beneath infos.
Best,
Erik
If you use the compiling instruction on github everything should be fine. I had a look on the medium how to as well. I think using the openvpn otp plugin could be a nice idea too.
google-authenticator-1.08 , openvpn-otp-1.0 and libqrencode-4.0.0 are now ready and can be found in here --> https://people.ipfire.org/~ummeegge/otp/ .
In- and unstallation can be made via the scripts in the package. Copy it to /opt/pakfire/tmp and execute them.
Made a faster test with google-authenticator only which looked OK on the first view but there seems a problem with the PAM modul.
First Steps:
bash-4.3$ google-authenticator -C -t -f -D -r 3 -Q UTF8 -R 30 -w3 -s /home/testotp/google-authenticator/testotp
which results in
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/testotp@ipfire-janeisklar.local%3Fsecret%3DD7MJSHIK3OWMT27X2APJAR3RUU%26issuer%3Dipfire-janeisklar.local
βββββββ βββββ ββ ββββββ β β ββ βββββββ
β βββ β βββ ββββ βββββ ββββββ β β βββ β
β βββ β ββββββ β βββββ β β β β βββ β
βββββββ β β β βββ βββ βββββββ β β βββββββ
βββββββββββ ββ ββββ βββ ββ ββββββββββββ
β ββββ ββ β ββ ββ ββββ βββ β ββββ β β
ββββββββββ ββββββββββ βββββββ β ββββ ββ
βββ βββββββββ βββββ βββ βββ β ββββββββ
βββββ ββββ βββββ β ββ ββ βββ ββ βββ β
β β ββ β ββββββββ β ββββββ ββ ββ βββ β
β βββ ββ ββ β β βββββ ββ ββββββββ βββββ β
β ββββ ββββ βββββ ββββ βββ β ββ βββββ β
βββββββ βββ β β ββ βββ ββ ββββββββββ
β ββββ β β ββ ββ βββ β β β βββββββββββ
β β βββββ βββββ βββ β β βββββββ βββ ββ
ββ βββββββ ββ βββββ ββ ββββββββ βββββββ
ββ β ββββββ βββ ββ βββ βββββββββββββββ β
ββββββ ββββββββ ββββ ββββ βββ ββ β ββ β
β βββ β βββββββββββββ ββββββ βββββββββββ
β βββ β ββ β ββ ββ βββββ ββ ββββββ β
βββββββ ββββ β β β ββ ββ βββ
Your new secret key is: SGHJSCON3OSHJ27X2APJAR3RUU
Your verification code for code 1 is 047584
Your emergency scratch codes are:
27565487
82723306
34445652
48456451
54560420
checked bar code with an iPhone and google authenticator from app store which worked.
auth required /usr/lib/security/pam_google_authenticator.so secret=/home/testotp/google-authenticator/testotp forward_pass debug
# Google authenticator
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
for server.conf.local and
# Google-authenticator
# use username/password authentication
auth-user-pass
# do not cache auth info
auth-nocache
for client.conf.local
But stucked at:
Mar 9 10:12:12 ipfire openvpn[17716]: PAM _pam_init_handlers: no default config other
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: start of google_authenticator for "testotp"
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: Secret file permissions are 0600. Allowed permissions are 0600
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: "/home/testotp/google-authenticator/testotp" read
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: shared secret in "/home/testotp/google-authenticator/testotp" processed
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: google_authenticator for host "(null)"
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: no scratch code used from "/home/testotp/google-authenticator/testotp"
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: Accepted google_authenticator for testotp
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: "/home/testotp/google-authenticator/testotp" written
Mar 9 10:12:12 ipfire openvpn(pam_google_authenticator)[17716]: debug: end of google_authenticator for "testotp". Result: Success
Mar 9 10:12:12 ipfire openvpn[17716]: PAM no modules loaded for 'openvpn' service
Mar 9 10:12:12 ipfire openvpnserver[17715]: 192.168.90.4:40087 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mar 9 10:12:12 ipfire openvpnserver[17715]: 192.168.90.4:40087 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
Mar 9 10:12:12 ipfire openvpnserver[17715]: 192.168.90.4:40087 TLS Auth Error: Auth Username/Password verification failed for peer
Am currently a little short in time. May you find some more out.
Best,
Erik
Yes sure i will have a look thanks for your work 
Hey Erik,
after some hours I got it to work. I configured the OpenVPN-Server to use TOTP in connection with username/password autentication using pam_unix.so
I first configured the OpenVPN-Server to use authentication via username/password using this how-to: https://wiki.ipfire.org/configuration/services/openvpn/extensions/plugins/auth-pam
After that was working i started to integrate OTP authentication.
I created a folder where the secret files of the users should be stored and created a user for creating the software tokens:
addgroup gauth
useradd -g gauth gauth
mkdir /var/ipfire/ovpn/google-authenticator
chown gauth:gauth /var/ipfire/ovpn/google-authenticator
chmod 0700 /var/ipfire/ovpn/google-authenticator
I customized the /etc/pam.d/openvpn :
#Google Authenticator
auth requisite /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/google-authenticator/${USER} user=gauth forward_pass debug
#Username/Password authentication
auth required pam_unix.so use_first_pass
account required pam_unix.so
This is what my server.conf.local looks like:
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn
Here are my entrys in client.conf.local:
#Username - Password Authentication
auth-user-pass
#Do not cache auth info
auth-nocache
For creating new users more convenient I use the following shellscript:
#!/bin/bash
#variables
#MFA Label
MFA_LABEL='Testcorp OpenVPN-Server'
#MFA User
MFA_USER=gauth
#Directory for Secretfiles
MFA_DIR=/var/ipfire/ovpn/google-authenticator
##########################################################################
echo -en "Please enter new username:"
read user_id
if [ "$user_id" = "" ]; then
echo "ERROR: No username specified"
exit 1
fi
echo "Creating account ${user_id}"
useradd -s /bin/false "$user_id"
echo "Please enter password for new user"
passwd "$user_id"
echo "Creating MFA token"
su -c "google-authenticator -t -C -d -r3 -R30 -f -l \"${MFA_LABEL}\" -s $MFA_DIR/${user_id}" - $MFA_USER | tee $MFA_DIR/otp-config/$user_id
For logging in using the OpenVPN client i created roadwarrior connection for each user over the WUI
and did the import on the client machine. The credentials you have to type in when connecting are the following:
username : USER_ID
password: password+otp-token (for example: password934741)
Hope I didnβt miss something. I hope the packages could find a way into the pakfire repo
Greetings
Steffen
Great work Steffen! Will give it a try may in the evening.
Have had the user/group/dir and permissions block also in the install.sh of google-authenticator. Am thinking about to reintegrate it or should we keep it simple ?
Do you think we can bring other additionals to the package ?
May the PAM config might be nice ?
Should we rework the script a little to integrate it also into the package ?
Best,
Erik
Hey Erik,
I think it would be useful to integrate it into the install script to keep it simple for the user. I would also integrate the pam profile and the outputfolders /var/ipfire/ovpn/google-authenticator (for the secret files) and /var/ipfire/ovpn/google-authenticator/otp-config (for the setup and recovery information for each token) and the needed permissions.
Greetings
Steffen
Hi Steffen,
did test it and what should i say, i works 
Mar 11 14:53:00 ipfire openvpn[5654]: PAM _pam_init_handlers: no default config other
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: start of google_authenticator for "ummeegge"
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge" read
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: shared secret in "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge" processed
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: google_authenticator for host "(null)"
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: no scratch code used from "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge"
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: Accepted google_authenticator for ummeegge
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: "/var/ipfire/ovpn/accounting/google-authenticator/ummeegge" written
Mar 11 14:53:00 ipfire google-auth-openvpn(pam_google_authenticator)[5654]: debug: end of google_authenticator for "ummeegge". Result: Success
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 TLS: Username/Password authentication succeeded for username 'ummeegge'
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 2048 bit RSA
Mar 11 14:53:00 ipfire openvpnserver[5652]: 192.168.123.4:41732 [otptest] Peer Connection Initiated with [AF_INET]192.168.123.4:41732
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 OPTIONS IMPORT: reading client specific options from: /var/ipfire/ovpn/ccd/otptest
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 MULTI_sva: pool returned IPv4=10.63.16.14, IPv6=(Not enabled)
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 MULTI: Learn: 10.63.16.14 -> otptest/192.168.123.4:41732
Mar 11 14:53:00 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 MULTI: primary virtual IP for otptest/192.168.123.4:41732: 10.63.16.14
Mar 11 14:53:01 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 14:53:01 ipfire openvpnserver[5652]: otptest/192.168.123.4:41732 SENT CONTROL [otptest]: 'PUSH_REPLY,route 10.63.16.1,topology net30,ping 10,ping-restart 60,redirect-gateway,route 192.168.234.0 255.255.255.0,dhcp-option DNS 192.168.123.222,dhcp-option DNS 8.8.4.4,ifconfig 10.63.16.14 10.63.16.13,peer-id 0' (status=1)
. Needed to modify the script a little in this line β$MFA_DIR/otp-config/$user_idβ since βotp-configβ is not there and are not created via google-authenticator.
Another one is, the barcode comes not up with the script via terminalβ¦
Have extend the script a little but also the package but am stalled currently since there is a discussion if not signed packages should be provided in here in general.
Either way good work !
Best,
Erik
Hey Erik,
Iβm happy that it works for you too. Yes the folder /var/ipfire/ovpn/google-authenticator and /var/ipfire/ovpn/google-authenticator/otp-config were created manually because i wanted an output directory for the secret files an the otp-config files. The directories can be created during installation. The barcode is a picture so if you redirect the output into a file the barcode is not there. But with the URL you can show the barcode.
Greetings
Steffen
Hi all,
made now an package update which includes also an extended script which can be found in here --> https://gitlab.com/ummeegge/google-authenticator-openvpn/-/blob/master/build_files/CONF/google-auth-openvpn/google-auth-adduser .
Script includes now:
Script can surely be extended and can surely even be made better but for the first this is how it goes.
Packages are now here --> https://people.ipfire.org/~ummeegge/google-authenticator-openvpn/ located.
All build files can be found in here --> https://gitlab.com/ummeegge/google-authenticator-openvpn for those of you who want to build in their environment. Since the uninstall.sh scripts do not use Pakfire but uninstalls the files too, it is currently not on IPFire Git.
Best,
Erik
I find it a very, very interesting functionality. Have you thought about creating an addon and implementing it in the list of installable addons?
It would be a very good feature.
Hi Roberto,
thanks for you positive feedback. Am currently thinking about how it could looks like.
If a OTP functionality comes to IPFire, more then one application like OpenVPN can participate from this (SSH e.g. what else ?) which brings this topic then to a new level (can hear the whispering of a new CGI in the leaves 
) but in this current state here i wanted to find a proper way with OpenVPN, may we can also participate of this work here even it would come as a generalized Addon (no script, no PAM config).
I ask myself also:
There are several questions from my side, do someone else have some too ?
Best,
Erik