Not verifying a local password authentication module (PAM) or Active Directory password to authenticate a VPN connection<\/h2>\n\n\n\n
This procedure does not verify a PAM or Active Directory password to authenticate the VPN connection.<\/p>\n\n\n\n
There are ways of prompting for a username, and a password, and an OTP from Google Authenticator. However, some of these are difficult to integrate with with client VPN connector software, which do not support a second password field. Some approaches ask the help desk client to enter a system password and the OTP as a combined password, but this can be confusing for help desk clients.<\/span><\/p>\n\n\n\n This procedure was tested on Ubuntu Linux 22.04 LTS<\/a>.<\/p>\n\n\n\n Deploy OpenVPN on a physical Linux server or on a virtual Linux server hosted as a virtual machine (VM), using KVM on Linux, Hyper-V, VMware, or VirtualBox on Windows, or Parallels using MacOS.<\/p>\n\n\n\n For KVM, add a macvtap network adapter to the automation server. For Hyper-V, VMware, VirtualBox or Parallels, add a bridge mode network adapter. This will allow the VPN server to access the same network as the server’s hypervisor host.<\/p>\n\n\n\n Assign a static IP to the VPN server.<\/p>\n\n\n\n Most residential Internet connections have a dynamic host configuration protocol (DHCP) public-facing IP address, which can change over time. You can use a service like no-ip.com to associate a permanent host name such as permhostname.ddns.net to a host with a dynamic IP address:<\/p>\n\n\n\n https:\/\/no-ip.com<\/a><\/p>\n\n\n\n Use the control panel of your router to forward a port from the public-facing IP address to the internal IP address of the VPN host.<\/p>\n\n\n\n As an example, for the server described in this procedure, we are using the TCP port 443 to host the connection:<\/p>\n\n\n\n This procedure assumes that you are logged in as the root user of the Linux server.<\/p>\n\n\n\n Escalate to the root user by entering the following commands:<\/p>\n\n\n\n From a root shell, enter the following commands:<\/p>\n\n\n\n Add the following text to the bottom of the file:<\/p>\n\n\n\n Press Ctrl-X to save and exit the file.<\/p>\n\n\n\n Enter the following command to reload the sysctl settings:<\/p>\n\n\n\n Enter the following commands:<\/p>\n\n\n\n Add the following text:<\/p>\n\n\n If you are using the no-ip.com dynamic update client (DUC), add the following text:<\/p>\n\n\n Add the following text:<\/p>\n\n\n Press Ctrl-X to save and exit the file.<\/p>\n\n\n\n Enter the following command<\/p>\n\n\n\n Enter the following command:<\/p>\n\n\n\n The openvpn-install.sh from Angristan automates the installation of the OpenVPN server application:<\/p>\n\n\n\n https:\/\/github.com\/Angristan\/OpenVPN-install<\/a><\/p>\n\n\n\n To download the openvpn-install.sh script, enter the following commands:<\/p>\n\n\n From a root shell, enter the following commands:<\/p>\n\n\n\n Locate the following line:<\/p>\n\n\n\n Change the line to:<\/p>\n\n\n\n Add the following text to the end of the file:<\/p>\n\n\n Press Ctrl-X to save and exit the file.<\/p>\n\n\n\n Enter the following commands:<\/p>\n\n\n\n Press Ctrl-X to save and exit the file.<\/p>\n\n\n\n Enter the following command:<\/p>\n\n\n\n From a root shell, enter the following command:<\/p>\n\n\n\n Use the FileZilla file transfer client to download the OpenVPN client profile:<\/p>\n\n\n\n https:\/\/blog.gordonbuchan.com\/blog\/index.php\/2021\/03\/07\/web-presence-step-by-step-chapter-7-configuring-the-ssh-server-on-an-ubuntu-linux-cloud-server-to-limit-sftp-directory-visibility-within-chroot-jail-directories\/#:~:text=Obtaining%20the%20FileZilla%20file%20transfer%20program<\/a><\/p>\n\n\n\n Use a text editor to load the OpenVPN client profile. Add the following text to the bottom of the file:<\/p>\n\n\n\n Save and exit the file.<\/p>\n\n\n\n Visit the Apple App Store or the Google Play Store. Search for “google authenticator” and download the app:<\/p>\n\n\n\n Click on “Get started”:<\/p>\n\n\n\n Open a terminal window as root, and make the terminal window full-screen. Enter the following command:<\/p>\n\n\n\n Click on “Scan a QR code” then click on “OK” to allow the app to access the camera:<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n Look at the one-time code shown on the Google Authenticator app:<\/p>\n\n\n\n Enter the code in the Terminal window in the field: “Enter code from the app (-1 to skip):”<\/p>\n\n\n\n Enter “n” to the question: “Do you want me to update your “\/root\/.google_authenticator file? (y\/n):”<\/p>\n\n\n\n Enter the following commands:<\/p>\n\n\n\n Add an entry to the file in with the format “username: yournewsecretkey”:<\/p>\n\n\n Press Ctrl-X to save and exit the file.<\/p>\n\n\n\n Should this process be automated further? Yes. The google-authenticator program on the server could be scripted so that the client’s username and secret code could be added to the \/etc\/openvpn\/server\/google-authenticator.keys file.<\/p>\n\n\n\n https:\/\/openvpn.net\/community-downloads\/<\/a><\/p>\n\n\n\n Import the OpenVPN client profile into the OpenVPN client application.<\/p>\n\n\n\n An example of a Windows client connecting to the OpenVPN server:<\/p>\n\n\n\n For “Username” enter the username of the VPN connection. For “Password” enter the one-time password (OTP) displayed by the Google Authenticator app:<\/p>\n\n\n\n A successful connection:<\/p>\n\n\n\n <\/p>\n\n\n\n https:\/\/egonbraun.medium.com\/using-google-authenticator-mfa-with-openvpn-on-ubuntu-16-04-774e4acc2852<\/a> In this procedure we install the open source program OpenVPN on a server running on Linux to create a virtual private network (VPN) authenticated against Active Directory with two-factor authentication (2FA) enabled Google Authenticator. Business case A Linux server running OpenVPN server software can replace a Windows server or other commercial solution for the VPN … <\/p>\nThis procedure was tested on Ubuntu Linux 22.04 LTS<\/h1>\n\n\n\n
Deploying the VPN server as a physical or virtual machine<\/h1>\n\n\n\n
Adding a macvtap or bridge mode network adapter to a virtual machine<\/h1>\n\n\n\n
Assigning a static IP address to the server that will host the VPN<\/h1>\n\n\n\n
Assigning a permanent host name to a dynamic host configuration protocol (DHCP) public-facing IP address<\/h1>\n\n\n\n
Forwarding ports from the public-facing IP address to the internal IP address of the VPN host<\/h1>\n\n\n\n
![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-11.png\")
<\/figure>\n\n\n\nEntering commands as root<\/h1>\n\n\n\n
sudo su<\/pre>\n\n\n\n
Installing tools on the server<\/h1>\n\n\n
\napt install libpam-google-authenticator curl oath libqrencode4\n<\/pre><\/div>\n\n\n
Modifying the \/etc\/sysctl.conf file to enable network forwarding<\/h1>\n\n\n\n
cd \/etc
nano sysctl.conf<\/pre>\n\n\n\nnet.ipv4.ip_forward=1<\/pre>\n\n\n\n
sysctl -a<\/pre>\n\n\n\n
Creating the \/etc\/rc.local file<\/h1>\n\n\n\n
cd \/etc
nano rc.local<\/pre>\n\n\n\n\n!\/usr\/bin\/bash\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o enp3s0 -j MASQUERADE\n<\/pre><\/div>\n\n\n
\n\/usr\/local\/bin\/noip2\n<\/pre><\/div>\n\n\n
\nexit 0\n<\/pre><\/div>\n\n\n
chmod 755 rc.local<\/pre>\n\n\n\n
Starting the rc-local service<\/h1>\n\n\n\n
systemctl restart rc-local<\/pre>\n\n\n\n
Using a script to automate the installation of OpenVPN<\/h1>\n\n\n\n
Downloading the OpenVPN installation script<\/h2>\n\n\n\n
\ncd \/root\ncurl -O https:\/\/raw.githubusercontent.com\/angristan\/openvpn-install\/master\/openvpn-install.sh\nchmod +x openvpn-install.sh\n<\/pre><\/div>\n\n\n
Running the OpenVPN installation script<\/h2>\n\n\n\n
.\/openvpn-install.sh<\/pre>\n\n\n\n
Modifying the OpenVPN server configuration file<\/h2>\n\n\n\n
cd \/etc\/openvpn\/server
nano server.conf<\/pre>\n\n\n\npush \"redirect-gateway def1 bypass-dhcp\"<\/pre>\n\n\n\n
push \"redirect-gateway def bypass-dhcp\"<\/pre>\n\n\n\n
\nauth-user-pass-verify "\/etc\/openvpn\/server\/google-authenticator.sh" via-env\nscript-security 3\nusername-as-common-name\n<\/pre><\/div>\n\n\n
Creating the google-authenticator.sh script<\/h2>\n\n\n\n
cd \/etc\/openvpn\/server\nnano google-authenticator.sh<\/pre>\n\n\n
\n#!\/usr\/bin\/bash\n# this script written by OpenAI ChatGPT\n# see References section for prompt\n# check if the user has provided a username and password\nif [ -z "$username" -o -z "$password" ]; then\n exit 1\nfi\n\n# get the user's secret key from the Google Authenticator app\nsecret_key=$(grep "^$username:" \/etc\/openvpn\/server\/google-authenticator.keys | cut -d: -f2)\n\n# check if the user has a secret key\nif [ -z "$secret_key" ]; then\n exit 1\nfi\n\n# generate a six-digit code using the secret key and the current time\ncode=$(oathtool --totp -b "$secret_key")\n\n# compare the generated code with the password provided by the user\nif [ "$code" = "$password" ]; then\n exit 0\nelse\n exit 1\nfi\n\n<\/pre><\/div>\n\n\n
chmod 755 google-authenticator.sh<\/pre>\n\n\n\n
Restarting the OpenVPN server<\/h2>\n\n\n\n
systemctl restart openvpn-server@server<\/pre>\n\n\n\n
Downloading the OpenVPN client profile<\/h2>\n\n\n\n
Modifying the OpenVPN client profile<\/h2>\n\n\n\n
auth-user-pass<\/pre>\n\n\n\n
Downloading and Installing the Google Authenticator app on a help desk client’s smartphone<\/h1>\n\n\n\n
![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-1-474x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-2-474x1024.png\")
<\/figure>\n\n\n\nRunning the google-authenticator command on the server to enrol the help desk client’s Google Authenticator app<\/h2>\n\n\n\n
google-authenticator<\/pre>\n\n\n\n
![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-from-2022-12-26-13-43-27-1024x644.png\")
<\/figure>\n\n\n\nScanning the QR code into the Google Authenticator smartphone app<\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-4-474x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-5-474x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-7-474x1024.png\")
<\/figure>\n\n\n\nCreating the \/etc\/openvpn\/server\/google-authenticator.keys file and entering the secret key created during enrolment of the help desk client’s Google Authenticator app.<\/h2>\n\n\n\n
cd \/etc\/openvpn\/server
nano google-authenticator.keys<\/pre>\n\n\n\n\nclient06a:NRX7VMDMIC6XSDFJNU3WVB3K2I\n<\/pre><\/div>\n\n\n
A note re automation<\/h2>\n\n\n\n
Downloading the OpenVPN client application<\/h1>\n\n\n\n
Importing the OpenVPN client profile<\/h1>\n\n\n\n
Connecting to the OpenVPN server<\/h1>\n\n\n\n
![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-8.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-from-2022-12-26-17-02-39.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.gordonbuchan.com\/blog\/wp-content\/uploads\/2022\/12\/image-9.png\")
<\/figure>\n\n\n\nReferences<\/h1>\n\n\n\n
https:\/\/amilstead.com\/blog\/openvpn-with-google-authenticator-totp\/
<\/a>https:\/\/github.com\/evgeny-gridasov\/openvpn-otp
<\/a>https:\/\/www.softether.org\/
<\/a>https:\/\/charlesreid1.com\/wiki\/Ubuntu\/OpenVPN_Server#Adding_MFA_to_VPN_Access
<\/a>https:\/\/www.howtoforge.com\/how-to-set-up-openvpn-to-authenticate-with-linotp
<\/a>https:\/\/www.howtoforge.com\/securing-openvpn-with-a-one-time-password-otp-on-ubuntu
<\/a>https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-configure-multi-factor-authentication-on-ubuntu-18-04
<\/a>https:\/\/warlord0blog.wordpress.com\/2022\/09\/01\/openvpn-mfa-and-pam\/
<\/a>https:\/\/binsec.wiki\/en\/security\/howto\/protect-hardening\/authorization-and-authentication\/openvpn-configure-2fa-google-authenticator\/
<\/a>https:\/\/forums.openvpn.net\/viewtopic.php?t=12886
<\/a>https:\/\/www.freeipa.org\/page\/Windows_authentication_against_FreeIPA
<\/a>http:\/\/pgina.org\/
<\/a>https:\/\/www.ezeelogin.com\/kb\/article\/how-to-install-google-authenticator-on-centos-ubuntu-323.html
<\/a>https:\/\/askubuntu.com\/questions\/182498\/google-authenticator-for-desktop
<\/a>https:\/\/unix.stackexchange.com\/questions\/341226\/samba-not-starting-on-ubuntu-server-16-10
<\/a>https:\/\/www.linuxquestions.org\/questions\/linux-server-73\/samba-4-5-issues-4175597252\/
<\/a>https:\/\/serverfault.com\/questions\/1026344\/how-can-i-setup-nat-on-my-openvpn-server-for-the-client
<\/a>https:\/\/arashmilani.com\/post?id=53
<\/a>https:\/\/unix.stackexchange.com\/questions\/283801\/iptables-forward-traffic-to-vpn-tunnel-if-open
<\/a>https:\/\/aranel.net\/tech\/raspberrypi-openvpn
<\/a>https:\/\/forums.openvpn.net\/viewtopic.php?t=29880
<\/a>https:\/\/superuser.com\/questions\/168128\/openvpn-can-connect-but-cant-ping-or-access-the-server
<\/a>https:\/\/chat.openai.com<\/a> AI prompt: “create detailed instructions for the integration of google authenticator with openvpn”<\/p>\n","protected":false},"excerpt":{"rendered":"