I'm trying to set up MFA with Google authenticator for my OpenVPN setup on Ubuntu 16.04. Now OpenVPN works fine until I bring Google Authenticator into the mix.
My server.conf file reads as follows:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
reneg-sec 0
My client.conf reads as follows:
client
dev tun
proto udp
remote 10.1.0.2 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
auth-user-pass
auth-nocache
reneg-sec 0
Also, in /etc/pam.d I have cloned common-accounts to create an openvpn file with the following lines:
account requisite pam_deny.so
account required pam_permit.so
auth requisite pam_google_authenticator.so secret=/home/${USER}/.google_authenticator
Now I have created the necessary user profiles for each client connecting to the VPN server, say client1, client2 and client3 on Ubuntu. Now, consider client1 is trying to connect to the VPN server. I am logged in as client1 on the client side system, and try to connect to the VPN Server.
I get the following ,
Enter Auth Username: ******
Enter Auth Password: ************* ( Password for local user profile? + OTP)
After this point, I get
[server] Peer Connection Initiated with [AF_INET]10.1.0.2:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
TCP/UDP: Closing socket
SIGTERM[soft,auth-failure] received, process exiting
Now I wasn't sure why I was getting the AUTH failed error. I had seen many different ways in which the username/password combination could be input during the process of connecting to the VPN server.
Method 1 - username ; password (local account password + OTP)
Method 2 - username ; password (local account password) +
separate prompt section which asks for Google authenticator OTP
Method 3 - username ; OTP
I was never prompted with a separate Google Authenticator prompt asking me for OTP separately. So I tried method 1 and tried method 2 expecting for a Google authenticator prompt which never showed up.
Question 1: What is the correct way to use Google Authenticator login credentials. Am I missing something here which might be why I do not get prompted for the OTP separately?
Another thing that I observed is that ,
sudo systemctl status openvpn@server
gives different results for the two login methods above.
I got these status messages while trying different combination of password + OTP combinations.
openvpn(pam_google_authenticator)[15305]: Invalid verification code
openvpn(pam_google_authenticator)[15305]: Did not receive verification code from user
openvpn(pam_google_authenticator)[15305]: Failed to compute location of secret file
Question 2: Can someone explain to me what these status messages mean in terms of my login inputs.
Question 3: How can I get the MFA up and running.
FYI I used libpam-google-authenticator. I did not follow the method which warranted using makefile and adding configuration parameters for pam.
Thanks!
