poc | server | client | server-2fa | client-2fa
we’re already using client certificate to authenticate the users
here we show two flavors on how to use TOTP
apt install libpam-google-authenticator ls -lF /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so
vi /etc/pam.d/openvpn
@include common-account
auth required pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=root
vi /etc/openvpn/server.conf
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
vi /etc/pam.d/openvpn
@include common-account
auth requisite pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=root authtok_prompt=pin
vi /etc/openvpn/server.conf
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
reneg-sec 0
cd /etc/openvpn/ mkdir google-authenticator/ cd google-authenticator/ newuser=client-user newuser=client-user2
even for flavor A, the password needs to be defined for the thing to work anyhow
useradd -m -g users -s /bin/bash $newuser
pwgen
passwd $newuser
google-authenticator -td -r 3 -R 30 -l $newuser -w 3 \
-s /etc/openvpn/google-authenticator/$newuser
(SHARE WITH USER FOR HIM TO SCAN THE QR CODE WITH SOME AUTHENTICATOR APP)
see client-2fa
https://blog.openvpn.net/multi-factor-authentication-with-openvpn-community-edition/
FW https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
http://man.archlinux.org/man/google-authenticator.1.en
FW https://perfecto25.medium.com/openvpn-community-2fa-with-google-authenticator-4f2a7cb08128
https://serverfault.com/questions/1158993/google-autenticator-openvpn-not-working-pam
https://forums.openvpn.net/viewtopic.php?t=34017
https://github.com/google/google-authenticator-libpam/issues/211
https://github.com/evgeny-gridasov/openvpn-otp