client config
# base configclientdev tunproto udpremote 192.168.1.122 1194nobinduser nobodygroup nogrouppersist-keypersist-tunmute-replay-warningscomp-lzo# authentication configca ca.crtcert shell.crtkey shell.keyns-cert-type servertls-auth ta.key 1auth-user-pass
Group should be nogroup, not nobody in debian.
auth-user-pass is needed for google auth.
pam config
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.soaccount [success=1 new_authtok_reqd=done default=ignore] pam_winbind.soaccount requisite pam_deny.soaccount required pam_permit.soauth required pam_google_authenticator.so
In /etc/pam.d/openvpn.
server config
# base configport 1194proto udpdev tuncomp-lzouser nobodygroup nogrouppersist-keypersist-tunstatus openvpn-status.loglog-append openvpn.log# authentication configca ca.crtcert server.crtkey server.keydh dh2048.pemtls-auth ta.key 0plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn# network configserver 10.55.66.0 255.255.255.0ifconfig-pool-persist ipp.txtclient-to-clientduplicate-cn
Plugin should be /usr/lib/openvpn/openvpn-plugin-auth-pam.so in debian, “openvpn” behind is fit for the filename in /etc/pam.d/openvpn.
google authentication config
Look at this 在PAM中使用google authentication.
startup
shell@debws0:~$ sudo openvpn --config shell.confFri Jan 24 11:17:17 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Nov 28 2013Enter Auth Username:usernameEnter Auth Password:Enter Private Key Password:
The user you used to config google authentication is the username put into Auth Username.
Put verification code as Password, and you may have Private Key Password in your private key.
Have a fun.
原文地址:openvpn auth with google authentication, 感谢原作者分享。 击败不等于击倒,跌倒了,爬起来,想一想,为什么跌倒了,