openvpn auth with google authentication

client config

# base configclientdev tunproto udpremote 192.168.1.122 1194nobinduser nobodygroup nogrouppersist-keypersist-tunmute-replay-warningscomp-lzo# authentication configca ca.crtcert shell.crtkey shell.keyns-cert-type servertls-auth ta.key 1auth-user-pass

Group should be nogroup, not nobody in debian.

auth-user-pass is needed for google auth.

pam config

account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.soaccount [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.soaccount requisite           pam_deny.soaccount required            pam_permit.soauth required pam_google_authenticator.so

In /etc/pam.d/openvpn.

server config

# base configport 1194proto udpdev tuncomp-lzouser nobodygroup nogrouppersist-keypersist-tunstatus openvpn-status.loglog-append  openvpn.log# authentication configca ca.crtcert server.crtkey server.keydh dh2048.pemtls-auth ta.key 0plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn# network configserver 10.55.66.0 255.255.255.0ifconfig-pool-persist ipp.txtclient-to-clientduplicate-cn

Plugin should be /usr/lib/openvpn/openvpn-plugin-auth-pam.so in debian, “openvpn” behind is fit for the filename in /etc/pam.d/openvpn.

google authentication config

Look at this 在PAM中使用google authentication.

startup

shell@debws0:~$ sudo openvpn --config shell.confFri Jan 24 11:17:17 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Nov 28 2013Enter Auth Username:usernameEnter Auth Password:Enter Private Key Password:

The user you used to config google authentication is the username put into Auth Username.

Put verification code as Password, and you may have Private Key Password in your private key.

Have a fun.