Question

4

How to use Google Authenticator with OpenVPN server on Ubuntu 12.04

rated 0 times [ 4] [ 0] / answers: 1 / hits: 62046 / 2 Years ago, fri, february 25, 2022, 10:39:19

I have a working OpenVPN system on Ubuntu 12.04 and I'd like to add Google Authenticator for extra security.

This is my current openvpn config:



dev tun

proto udp

port 1096

ca ubuserv04-ca.crt

cert ubuserv04.crt

key ubuserv04.key

dh dh1024.pem

server 10.10.0.0 255.255.255.0

push "redirect-gateway def1"

push "route 192.168.0.0 255.255.255.0"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

float

log-append /var/log/openvpn-otp-1096-status.log

(This is just a test setup, I know I should change certain aspects of it but this works for now.)

On the client I have:



dev tun

client

proto udp

remote my.server.fqdn 1096

resolv-retry infinite

ca ubuserv04-ca.crt

cert user1.crt

key user1.key

verb 3

The above setup works fine: no errors, fast, stable.

I've tried several howtos to get Google Authenticator running but I end up troubleshooting side problems in those articles every time. I don't want to authenticate against the server's local user/password database, just the system I already have in place plus Google Authenticator.

I have Google Authenticator running; I installed it using apt-get install libpam-google-authenticator and have used it before to authenticate ssh sessions. That worked fine but I have now disabled that because it's just a test server and that particular test was finished.

Please be specific. I know I should add a plugin to my server's ovpn config and that I should add something to /etc/pam.d/openvpn but what exactly?

Any help would be greatly appreciated!

/extra info

I've followed this article: http://www.howtoforge.com/securing-openvpn-with-a-one-time-password-otp-on-ubuntu
Instead of compiling from the source I've installed Google Authenticator with apt-get install libpam-google-authenticator.
I've also read, but not used in this case, these articles: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ and http://zcentric.com/2012/10/09/google-authenticator-with-openvpn-for-2-factor-auth/. And I've read up on PAM, as suggested ;)

Now, here are some interesting developmens.

/etc/pam.d/openvpn has this:



account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so 

account [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.so 

account requisite           pam_deny.so

account required            pam_permit.so

auth required pam_google_authenticator.so

As per the howto I copied the original from /etc/pam.d/common-account and added the last line.
Now if I comment the last line out, the OpenVPN connection succeeds. If the last line is not commented out however, /var/log/auth.log logs this:



PAM unable to dlopen(pam_google_authenticator.so): /lib/security/pam_google_authenticator.so: undefined symbol: pam_get_item

PAM adding faulty module: pam_google_authenticator.so

and /var/log/openvpn-otp-1096.log logs this:



PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so

TLS Auth Error: Auth Username/Password verification failed for peer

e-using SSL/TLS context

AUTH-PAM: BACKGROUND: user 'martin' failed to authenticate: Module is unknown

The problem seems to be between PAM and Google Authenticator.

Google lists problems with other plugins but I can't really find information regarding Google Authenticator specifically.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

onbean

Add To Favorites

Follow

Total Points: 29

Total Questions: 102

Total Answers: 115

Location: Benin

Member since Fri, Mar 24, 2023

1 Year ago

onbean questions

1 Virtualenv installs envs into local/bin instead of bin

Fri, Mar 18, 22, 19:49, 2 Years ago

1 Ubuntu 22.04 can't suspend

Tue, Dec 6, 22, 11:51, 1 Year ago

1 Error starting Ubuntu in WSL2

Mon, Jun 7, 21, 17:21, 3 Years ago

1 amdgpu-pro install fails

Mon, Jan 16, 23, 04:48, 1 Year ago

1 How to fix packages installed from debian sources?

Mon, Oct 17, 22, 14:51, 2 Years ago

View All

answered 2 Years ago algicuade · Accepted Answer

Ok, Google is my friend.

I did this:



# apt-get purge libpam-google-authenticator

# download https://code.google.com/p/google-authenticator/downloads/list

# apt-get install libpam-dev

Add this to Makefile, right after the license:



LDFLAGS="-lpam"

Then



# make

# make install

# service openvpn restart

Also, make sure /home/username/.google_authenticator has no rights at all except read rights for the user that's going to use it.

Now I need to enter my username that's my local username on the server (my shell account) as my OpenVPN username and the Google Authenticator 6-digit code as the password.

Now it works.

Thank you all for your time :)

(How can I mark this post as solved? Do I just edit the topic title?)