Oct 27 2021

OpenVPN + Google Authenticator MFA

apt install libqrencode3 libpam-google-authenticator

addgroup gauth
useradd -g gauth gauth
mkdir /etc/openvpn/google-authenticator
chown gauth:gauth /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator

add line in /etc/openvpn/server.conf

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

create /etc/pam.d/openvpn

with content:

auth required /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass

-t : Set up time-based (TOTP) verification

-d : Disallow reuse of previously used TOTP tokens

–r3 : Limit logins to N per every M seconds

-R30 :

-f : Write file without first confirming with user

-l : Override the default label in “otpauth://” URL

-i: Override the default issuer in “otpauth://” URL

-s : Specify a non-standard file location

replace <username> with certificate_name

google-authenticator -t -d -r3 -R30 -f -l “<username>” -i “Company VPN” -s /etc/openvpn/google-authenticator/username

chown gauth:gauth /etc/openvpn/google-authenticator/username

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.