How to set up an OpenVPN tunnel with Google Authenticator

Setup the OpenVPN tunnel

Download the Google Authenticator App

Install the libraries

sudo apt-get install -y libqrencode4 libpam-google-authenticator

Configure the server

cd /etc/openvpn/
addgroup
gauth
useradd -g gauth gauth
sudo google-authenticator
mkdir google-authenticator
chown gauth:gauth google-authenticator
chmod 0700 google-authenticator
nano server.conf
plugin      /usr/lib/openvpn/openvpn-plugin-auth-pam.so \"login login USERNAME password PASSWORD pin OTP\"
local 192.168.172.70
port 1195 # DIFFERENT FROM TUN1
proto udp
dev tun
ca /etc/pki/CA/certs/ca.crt
cert /etc/pki/CA/certs/tun0-server.crt
key /etc/pki/CA/private/tun0-server.key
dh /etc/pki/CA/openvpn/dh2048.pem
server 10.7.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push \"route 10.8.0.0 255.255.255.0\"
keepalive 10 120
tls-auth /etc/pki/CA/private/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
script-security 2
tls-verify /etc/pki/OCSP_check.sh
verb 3
explicit-exit-notify 1
nano /etc/pam.d/login
auth required pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/<USER> forward_pass
...
su -c "google-authenticator -t -d -r3 -R30 -f -l 'OpenVPN Server' -s /etc/openvpn/google-authenticator/{USER}" - gauth

Configure the client

cd /etc/openvpn/
nano
client.conf
auth-user-pass
client
dev tun
proto udp
remote 192.168.172.70 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/pki/CA/certs/ca.crt
cert /etc/pki/CA/certs/tun0-client.crt
key /etc/pki/CA/private/tun0-client.key
tls-auth /etc/pki/CA/private/ta.key 1
cipher AES-256-CBC
verb 3
OTP code from Google Authenticator
Client Asking for user password

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store