Secure OpenVPN with two-factor authentication from WiKID on Centos 7
In a previous tutorial, we showed how to configure PAM-RADIUS to support two-factor authentication. Now, and in future tutorials, we will add remote access services to this server that will also use WiKID for two-factor authentication. In this tutorial, we will demonstrate how to leverage that setup to add two-factor authentication through radius to OpenVPN on Centos 7.
In addition to publishing this tutorial, we are also releasing packer scripts which can automatically build virtual appliances as described in this tutorial.
Install the software.
Start by installing the EPEL repository:
rpm -ivh epel-release-7-1.noarch.rpm
Now install openvpn and easy-rsa:
yum install openvpn easy-rsa
Change to the sample directory and copy the sample configuration file to /etc/openvpn:
cp server.conf /etc/openvpn/fqdn.conf
where fqdn is that name of your server. It doesn't have to be the fully qualified domain name. You just use that to start it via systemctl.
Create new certificates
mkdir -p /etc/openvpn/easy-rsa/keys/p>
cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Edit your vars file, in particular the fields for the certificate. Then, run the certificate commands.
Copy the resulting files into /etc/openvpn or edit the fqdn.conf file to reflect their location.
Create a client cert:
Edit the fqnd.conf file and add the following lines to the bottom:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so sshd client-cert-not-required username-as-common-name
Configure Firewalld for Openvpn:
firewall-cmd --add-service openvpn
firewall-cmd --permanent --add-service openvpn
firewall-cmd --permanent --add-masquerade
Now, start openvpn:
systemctl start firstname.lastname@example.org
systemctl enable email@example.com
That's it. You should be able to download the client cert to your machine and test the login using your WiKID token. Note that you can run the openvpn server using 'openvpn /etc/openvpn/fqdn.conf' to troubleshoot. Same for the client.
On the client, simply add the line 'auth-user-pass' to the client configuration to force it to prompt for a password. Add "auth-user-pass" to client configuration file. Enter your username as listed in WiKID and your WiKID one-time passcode when prompted on the client. PAM-RADIUS will forward the authentication credentials to WiKID directly or through a radius server depending on your configuration.
Packer is a tool that builds virtual appliances in various formats such as VirtualBox, VMware, EC2, Google Compute, etc. Please see Build a 2FA-ready OpenVPN community virtual appliance for complete instructions.