Posted in SSL VPN

OpenVPN with Gooogle Authenticator as second factor authentication – part 2

   Published Date: August 3, 2017

In this part I will cover only OpenVPN configuration section.

I'll assume that every reader is able to generate the RSA keys used by OpenVPN to secure the traffic between client and server.

OpenVPN server configuration

a) cat radiusplugin-udp1194.cnf

NAS-Identifier=OpenVPN
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=192.168.122.157
OpenVPNConfig=/etc/openvpn/server.ovpn
Overwriteccfiles=true
Acct-Interim-Interval=30
server
{
     # The UDP port for radius accounting.
     acctport=1813
     # The UDP port for radius authentication.
     authport=1812
     # The name or ip address of the radius server.
     name=192.168.122.157
     # How many times should the plugin send the if there is no response?
     retry=1
     # How long should the plugin wait for a response?
     wait=1
     # The shared secret.
     sharedsecret=testing123
}

 

b)cat server.ovpn
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem

plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin-udp1194.cnf

topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"

keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0

cipher AES-128-CBC # AES
auth SHA256
comp-lzo
max-clients 500

persist-key
persist-tun

status openvpn-status.log

log openvpn.log
verb 3
mute 20

In both configurations I highlighted the parts that are related.

 

OpenVPN client configuration

client
dev tun
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 192.168.0.10 1194
remote-random
resolv-retry infinite
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

persist-key
persist-tun
mute-replay-warnings

ca ca.crt
cert client.crt
key client.key

remote-cert-tls server
tls-auth ta.key 1
cipher AES-128-CBC
#auth SHA256
auth-user-pass

comp-lzo
verb 3
mute 20

Testing the entire implementation

openvpn --config client.ovpn
Tue Aug 1 18:12:07 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Tue Aug 1 18:12:07 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Enter Auth Username: *******
Enter Auth Password: **************

As you can see you are asked for a username and a password.

These are the ones that were tested during freeradius implementation.

You should see on the screen the following sentence in order to be sure that the whole process is working properly:

Tue Aug 1 18:12:29 2017 Initialization Sequence Completed

If you are looking at the freeradius logs you should see something similar:

+} # group authorize = ok
Found Auth-Type = PAM
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <gabriel>
++[pam] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[ldap] = noop
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 252 to 192.168.122.1 port 49698

If you are here that means that you are ready to use OpenVPN with Google authenticator.

Back OpenVPN with Gooogle Authenticator as second factor authentication - part 1.

Author: techwritter