6

We have a corporate VPN server running OpenVPN 2.3 on an AWS instance with Ubuntu 16.04 Xenial. The server has been configured using an Ansible playbook.

I'm planning to upgrade to Ubuntu 18.04 Bionic, which also upgrades OpenVPN to version 2.4 (this is a desired side effect, as OpenVPN 2.3 is getting deprecated). So I created a test instance with Bionic on it, and ran the Ansible playbook against it. The configuration includes MFA through Google Authenticator, so I also copied ~/.google_authenticator file from the old server and applied chmod 400 to it.

There were also a couple of compatibility issues which I had to solved before the new server worked:

  • openvpn-plugin-auth-pam.so file location has changed, and now its full path doesn't need to be specified in the server config.
  • CAP_AUDIT_WRITE permission missing in openvpn systemd service (see more details here)

However, even after that authentication still fails on the new server. Here's what my /etc/pam.d/openvpn looks like:

auth required pam_google_authenticator.so

If I replace this line with auth required pam_permit.so, I get successfully authenticated (with any password of course) and connected, so the problem is definitely where MFA steps in.

At the same time, pamtester tells me that pam_google_authenticator.so works fine:

$ sudo pamtester openvpn vlad authenticate
Verification code:
pamtester: successfully authenticated

Here's what I see in syslog when trying to authenticate to VPN server:

Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: received command code: 0
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: USER: vlad
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: user 'vlad' failed to authenticate: Authentication failure

In this thread I found a suggestion that the line in server config that calls auth-pam module should be changed from

plugin openvpn-plugin-auth-pam.so openvpn

to:

plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"

However, neither of them seems to work - I still get "Authentication failure".

Interestingly, the same experiment with rebuilding the server on the base of Xenial worked - so the problem seems to be either in Ubuntu Bionic (some additional security features?) or in OpenVPN 2.4 (some compatibility issues).

Does anyone have any ideas how to fix this?

Update. Just tried adding nullok to /etc/pam.d/openvpn and deleting ~/.google_authenticator file. Still fails, same error.

Vlad Nikiforov
  • 441
  • 6
  • 15

1 Answers1

1

Ubuntu 18.04 and higher use a more strict sandboxing config in systemd which interferes with google-authenticator.

Simply edit /lib/systemd/system/openvpn@.service and remove this line:

[Service]
...
ProtectHome=true

This is a newer feature of systemd that makes directories with 'user' content in them appear empty, for example /home, /root, and /run/user

It's generally a good idea to enable this as /home often contains SSH and GPG keys, but in this case it prevents OpenVPN from reading the .google-authenticator file in the users' home directory.

More info:

nbailey
  • 161
  • 5
  • Thanks! I have no way to test your suggestion unfortunately, because we have already migrated away to a managed VPN solution, but since your answer looks plausible, and there haven't been any others within almost 3 years, I'm going to accept it. – Vlad Nikiforov Mar 22 '21 at 16:26