I'm trying to set up MFA with Google authenticator for my OpenVPN setup on Ubuntu 16.04. Now OpenVPN works fine until I bring Google Authenticator into the mix.
My server.conf file reads as follows:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" client-to-client keepalive 10 120 tls-auth ta.key 0 key-direction 0 cipher AES-128-CBC auth SHA256 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn reneg-sec 0 My client.conf reads as follows:
client dev tun proto udp remote 10.1.0.2 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server comp-lzo verb 3 cipher AES-128-CBC auth SHA256 key-direction 1 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf auth-user-pass auth-nocache reneg-sec 0 Also, in /etc/pam.d I have cloned common-accounts to create an openvpn file with the following lines:
account requisite pam_deny.so account required pam_permit.so auth requisite pam_google_authenticator.so secret=/home/${USER}/.google_authenticator Now I have created the necessary user profiles for each client connecting to the VPN server, say client1, client2 and client3 on Ubuntu. Now, consider client1 is trying to connect to the VPN server. I am logged in as client1 on the client side system, and try to connect to the VPN Server.
I get the following ,
Enter Auth Username: ****** Enter Auth Password: ************* ( Password for local user profile? + OTP) After this point, I get
[server] Peer Connection Initiated with [AF_INET]10.1.0.2:1194 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) AUTH: Received control message: AUTH_FAILED TCP/UDP: Closing socket SIGTERM[soft,auth-failure] received, process exiting Now I wasn't sure why I was getting the AUTH failed error. I had seen many different ways in which the username/password combination could be input during the process of connecting to the VPN server.
Method 1 - username ; password (local account password + OTP) Method 2 - username ; password (local account password) + separate prompt section which asks for Google authenticator OTP Method 3 - username ; OTP I was never prompted with a separate Google Authenticator prompt asking me for OTP separately. So I tried method 1 and tried method 2 expecting for a Google authenticator prompt which never showed up.
Question 1: What is the correct way to use Google Authenticator login credentials. Am I missing something here which might be why I do not get prompted for the OTP separately?
Another thing that I observed is that ,
sudo systemctl status openvpn@server gives different results for the two login methods above.
I got these status messages while trying different combination of password + OTP combinations.
openvpn(pam_google_authenticator)[15305]: Invalid verification code openvpn(pam_google_authenticator)[15305]: Did not receive verification code from user openvpn(pam_google_authenticator)[15305]: Failed to compute location of secret file Question 2: Can someone explain to me what these status messages mean in terms of my login inputs.
Question 3: How can I get the MFA up and running.
FYI I used libpam-google-authenticator. I did not follow the method which warranted using makefile and adding configuration parameters for pam.
Thanks!
