Securing OpenVPN With A One Time Password (OTP) On Ubuntu

Want to support HowtoForge? Become a subscriber!
 
Submitted by Sypher (Contact Author) (Forums) on Mon, 2011-07-11 18:28. :: Linux | Ubuntu | Security

Securing OpenVPN With A One Time Password (OTP) On Ubuntu

Version 1.0
Follow me on Twitter

So, you got yourself a nice OpenVPN box. People need to login with their certificates but... if their laptop is stolen anyone could login. Sure, you could add password login but thats a bit outdated. The solution for this is using a OTP (one time password).

This technique is being used by a lot of large corporations including banks. This tutorial shows you how to configure OpenVPN to add additional security.

This assumes you already have OpenVPN configured and working properly.

 

Getting the Google Authenticator

First we need to download the Google Authenticator code. This can be done using "hg". You might need to install mercurial, if so its just as easy as doing:

apt-get install mercurial

We also need some compile tools, so let's install a package of compilers (you can remove this when we're done):

apt-get install build-essential

Let's check out the sourcecode for the Google Authenticator system:

cd /tmp && hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator && cd libpam

Ok, nice, so we now got it checked out. In order to make it work properly with OpenVPN we need to change the Makefile.

vim Makefile

Add the following line after the license part and before the .SUFFIXES:

LDFLAGS="-lpam"

Save the file and lets proceed, shall we? We need to compile this, so thats easy:

make

No errors? Good. It might be that you get an error about "displayQRCode". If so, you will need to make some changes to the makefile. If everything went as it should, you can just proceed.

find /usr/lib -name libdl.so

In the makefile, replace all 3 references to "/usr/lib/libdl.so" with the path you got (e.g. "/usr/lib/i386-linux-gnu/libdl.so"). Save it up, and re-run make. You should now be able to proceed just fine.

If it was compiled succesfully, proceed with installing it:

make install

We're done, let's proceed shall we?

 

Configuring OpenVPN to use PAM

Open up /etc/openvpn/server.conf and add the following line:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

This will use PAM to provide additional means of authentication. The last part (openvpn) is the file in /etc/pam.d we'd like to use. Since we do not want it to interfere with other services (e.g. SSH or sudo) we just use a new file.

Restart OpenVPN to have it re-read the config file.

 

Configure PAM to authenticate using Google Authenticator

Create the file /etc/pam.d/openvpn:

cp /etc/pam.d/common-account /etc/pam.d/openvpn
vim /etc/pam.d/openvpn

Add the following line:

auth    required                        pam_google_authenticator.so

If you are using encrypted homedirectories, you will need to change that to:

auth    required                        pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

We're finished with the PAM config. Obviously you can make it a lot more complex, for example by adding IP restrictions (no OTP on trusted IPS) or adding more security.

 

Configure Google Authenticator

Ok, so we have almost everything in place but the proper config. This should be done per-user. Either login as user (su - username or directly) and issue the command:

google-authenticator

This will present you with a few questions:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/me@myserver%3Fsecret%XXXXXXXXXXXXX
Your new secret key is: XXXXXXXXXXXXXXXXX
Your verification code is 1234567
Your emergency scratch codes are:
  11111111
  22222222
  33333333
  44444444
  55555555
Do you want me to update your "~/.google_authenticator" file (y/n)

Save the URL & info as we will need that later. Answer "y" and you will get the next question:

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)

You should also answer Y(es) here, as its far more secure to disallow reusable keys. Answer accordingly and the next question pops up:

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n)

30 seconds might not be too long, so we could increase the time limit. For me, 30 seconds is enough so i just answer N(o) here.

The final question:

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n)

For additional security you should answer (Y)es here.

Ok done! In case you do have encrypted homedirs you will need to do one additional step. Until they've implemented support for encrypted homedirs, you will have to put it outside of the encrypted homefolders.

Execute:

mkdir -p /var/unencrypted-home/${USER}/
cp .google_authenticator /var/unencrypted-home/${USER}/
chmod og-rwx /var/unencrypted-home/${USER}/ -R

 

Configuring the client

The client should have password logins as additional means of security. If you are using the NetworkManager addin for OpenVPN you can just switch it to certificate + password, else you will have to enable "auth-user-pass" in your VPN client config.

 

Wrapping up

Ok, so now we have:

  1. Installed Google Authenticator PAM module
  2. Enabled PAM support for OpenVPN

Install the Google Authenticator app, instructions for each mobile platform (Android, iOS, BlackBerry) can be found on the Google Knowledgebase.

Once you have installed the app, have it scan the barcode. The URL we received earlier (the google.com/chart... one) provides a QR code we can scan. Once we scan it, it will automatically configure the client.

So, the next time you login to your OpenVPN server you will be promped for an additional password. Provide the 6 digit passcode and you will gain access.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Evgeny Gridasov (not registered) on Tue, 2014-01-07 07:50.

I've just finished working on a native OTP plugin for OpenVPN. Check it out: https://github.com/evgeny-gridasov/openvpn-otp

Submitted by Anonymous (not registered) on Wed, 2012-02-01 17:38.

There is an alternate Two-factor Authentication system called Taferno on sourceforge.net (taferno.sourceforge.net)

It provides TFA and multi-layer security for OpenVPN, OpenSSH and Web Single Sign On

Submitted by Stan (not registered) on Fri, 2011-12-02 13:14.

hallo,

great tutorial, however, I`m getting the error:

root@XXXXXXXXX:/etc/openvpn# AUTH-PAM: BACKGROUND: user 'root' failed to authenticate: Cannot make/remove an entry for the specified session

 

Submitted by onychomycosis (not registered) on Thu, 2012-03-29 08:04.
Yes, I am obtaining this issue too however, not with regard to basic (works! ) however for users having a various house website directory (without complete use of his or her home). Therefore the. google_authenticator document in your home dir is just readable/writable at this time consumer however he or she cannot authenticate... What is accord and so on from the. google_authenticator document. As well as what is content material associated with /var/log/auth. record.
Submitted by pklaus (not registered) on Tue, 2012-01-03 18:46.

Yeah, I'm getting this problem as well but not for root (works!) but for a user with a different home directory (without full access to his home). So the .google_authenticator file in the home dir is only readable/writable by this user but he can't authenticate... Check the permissions etc. of the .google_authenticator file. And check the content of /var/log/auth.log.

Regards, Philipp

Submitted by Anonymous (not registered) on Thu, 2011-08-11 22:23.
Excellent information... Is there a way I can have two openvpn servers, one OTP enabled openvpn server and a non-OTP openvpn server simultáneously? I have notebooks and unattended headless servers connecting...
Submitted by Hugo (not registered) on Wed, 2011-09-14 12:16.
Sure, just create an additional openvpn server on an different ip and/or port.
Submitted by Anonymous (not registered) on Fri, 2012-04-13 16:41.

Hi,hg repo not found! (404)   cd /tmp && hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator && cd libpamabort: HTTP Error 404: Not FoundThey moved the repo?? Thx: Curt

Submitted by Anonymous (not registered) on Thu, 2012-04-26 21:47.
I'm having the same problem. HTTP 404 not found
Submitted by Anonymous (not registered) on Thu, 2012-05-03 13:17.

Google authenticator is now in the Ubuntu apt repositories, so this should do the trick:

 sudo aptitude install libpam-google-authenticator