OpenVPN OTP Authentication

Virtual Private Networks OpenVPN
12

Hey Erik,

after some hours I got it to work. I configured the OpenVPN-Server to use TOTP in connection with username/password autentication using pam_unix.so

I first configured the OpenVPN-Server to use authentication via username/password using this how-to: https://wiki.ipfire.org/configuration/services/openvpn/extensions/plugins/auth-pam

After that was working i started to integrate OTP authentication.

I created a folder where the secret files of the users should be stored and created a user for creating the software tokens:

addgroup gauth
useradd -g gauth gauth
mkdir /var/ipfire/ovpn/google-authenticator
chown gauth:gauth /var/ipfire/ovpn/google-authenticator
chmod 0700 /var/ipfire/ovpn/google-authenticator

I customized the /etc/pam.d/openvpn :

#Google Authenticator
auth    requisite       /usr/lib/security/pam_google_authenticator.so secret=/var/ipfire/ovpn/google-authenticator/${USER} user=gauth forward_pass debug

#Username/Password authentication
auth    required        pam_unix.so use_first_pass
account required        pam_unix.so

This is what my server.conf.local looks like:
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn

Here are my entrys in client.conf.local:

#Username - Password Authentication
auth-user-pass

#Do not cache auth info
auth-nocache

For creating new users more convenient I use the following shellscript:
#!/bin/bash

#variables

#MFA Label
MFA_LABEL='Testcorp OpenVPN-Server'

#MFA User
MFA_USER=gauth

#Directory for Secretfiles
MFA_DIR=/var/ipfire/ovpn/google-authenticator


##########################################################################
echo -en "Please enter new username:"
read user_id

if [ "$user_id" = "" ]; then
	echo "ERROR: No username specified"
	exit 1
fi

echo "Creating account ${user_id}"
useradd -s /bin/false "$user_id"

echo "Please enter password for new user"
passwd "$user_id"

echo "Creating MFA token"
su -c "google-authenticator -t -C -d -r3 -R30 -f -l \"${MFA_LABEL}\" -s $MFA_DIR/${user_id}" - $MFA_USER | tee $MFA_DIR/otp-config/$user_id

For logging in using the OpenVPN client i created roadwarrior connection for each user over the WUI
and did the import on the client machine. The credentials you have to type in when connecting are the following:

username : USER_ID
password: password+otp-token (for example: password934741)

Hope I didn’t miss something. I hope the packages could find a way into the pakfire repo :slight_smile:

Greetings

Steffen

1 Like