Posted in SSL VPN

OpenVPN with Gooogle Authenticator as second factor authentication – part 1

   Published Date: August 3, 2017

Description

In this post I'll show you how to install, configure and test remote access into your infrastructure using ssl vpn technology.

For that we are using OpenVPN tool (https://openvpn.net/).

In this POC we are using Ubuntu 16.04 LTS, as operating system, but the configuration will be the same no matter what Linux OS are you using. The differences will be only on the installation part.

Installation on the OpenVPN server side

 apt update 
 apt install -y  openvpn openvpn-auth-radius

Installation on freeradius server

apt install -y freeradius freeradius-utils
apt install -y libpam-google-authenticator

Installation on the OpenVPN client side

 apt update 
 apt install -y openvpn

As you can see we are using OpenVPN to authenticate against freeradius server.

On the radius server we are using local accounts for authentication in conjunction with Google authenticator codes.

For that we need a special pam directive that will instruct freeradius to use google authenticator library.

Scenario

|CLIENT| <---UDP--> |Server: 192.168.0.10|<---AUTH RADIUS---->| Radius Server: 192.168.122.157  |

|

|    pam   |

 

Since we have a lot of moving parts, we'll start configuration from pam -> freeradius -> OpenVPN server -> OpenVPN client.

Pam configuration

cat /etc/pam.d/radiusd

#@include common-auth
#@include common-account
#@include common-password
#@include common-session

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

This directives will instruct radius to use google authenticator and local Linux account for authentication.

The password is concatenated from actual password with one time code generated by the google authenticator application.

 

Freeradius configuration

cat /etc/freeradius/users

# Instruct FreeRADIUS to use PAM to authenticate users
DEFAULT Auth-Type := PAM

 

cat/etc/freeradius/radiusd.conf

user = root
group = root

cat /etc/freeradius/sites-enabled/default - in authentication section uncomment following line

# Pluggable Authentication Modules.
pam

Start  freeradius service in debug mode to test our configuration

/usr/sbin/freeradiud -XXXX

I will not cover the installation and configuration of the google authenticator app on your phone and the code generation part on the radius server . I'll leave that part to you 🙂  (as a homework - since it is very well documented  on the Internet ).

In my case, I have a local Linux account named gabriel with an hypothetical password of password, a google one time code of 071293,  the radius server IP is 192.168.122.157 using standard UDP port 1812 and the secret is testing123.

As a final step we have to define on  freeradius server the clients that are allowed to query our radius server.

cat /etc/freeradius/clients.conf

client 192.168.0.10 {
    secret = testing123
    shortname = openvpn-server
}

Testing command

radtest gabriel password071293 192.168.122.157:1812 1 testing123

If you'll receive an Access-Accept answer from the radius server, you have completed the first of the tutorial and are ready to move to the next one.

Next OpenVPN with Gooogle Authenticator as second factor authentication - part 2.

Author: techwritter