OpenVPN + Google Authenticator MFA

apt install libqrencode3 libpam-google-authenticator

addgroup gauth
useradd -g gauth gauth
mkdir /etc/openvpn/google-authenticator
chown gauth:gauth /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator

add line in /etc/openvpn/server.conf

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

create /etc/pam.d/openvpn

with content:

auth required /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass

-t : Set up time-based (TOTP) verification

-d : Disallow reuse of previously used TOTP tokens

–r3 : Limit logins to N per every M seconds

-R30 :

-f : Write file without first confirming with user

-l : Override the default label in “otpauth://” URL

-i: Override the default issuer in “otpauth://” URL

-s : Specify a non-standard file location

replace <username> with certificate_name

google-authenticator -t -d -r3 -R30 -f -l “<username>” -i “Company VPN” -s /etc/openvpn/google-authenticator/username

chown gauth:gauth /etc/openvpn/google-authenticator/username

KVM – VNC Server from remote host

<graphics type=”vnc” port=”5900″ autoport=”yes” listen=”SERVER_IP” passwd=”SECRET_PASSWORD”>
<listen type=”address” address=”SERVER_IP”/>
</graphics>