OpenVPN enable Google Authenticator

info

• OpenVPN
• Google Authenticator
• pam

install OpenVPN

yum install openvpn

install Google Authenticator

yum install -y gcc make autoconf automake libtool pam-devel git
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
./bootstrap.sh && ./configure && make && make install
cp -a /usr/local/lib/security/pam_google_authenticator.so /lib64/security/pam_google_authenticator.so

Google Authenticator for user(default user openvpn)

mkdir /etc/google-auth
google-authenticator
# set up as you wish, save image and/or codes.Entor to yes by default
mv ~/.google_authenticator /etc/google-auth/openvpn
chown -R openvpn /etc/google-auth

Add pam.conf

vim /etc/pam.d/openvpn

auth    requisite       /usr/local/lib/security/pam_google_authenticator.so secret=/etc/google-auth/${USER}  user=openvpn
account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so  
account [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.so  
account requisite          pam_deny.so  
account required           pam_permit.so

config the openvpn

config firewalld

#disable firewalld
systemctl stop firewalld
systemctl mask firewalld
#use iptables
systemctl enable iptables
systemctl start iptables
iptables -F                           #clear all rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables   # iptables 规则持久化保存
#enable ip forward
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p # 这一步一定得执行，否则不会立即生效。

config certificate

yum -y install easy-rsa
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/<easy-rsa 版本号>/  # 查看 easy-rsa 版本号：yum info easy-rsa
vim vars  # 没这个文件的话新建，填写如下内容（变量值根据实际情况随便填写）:
export KEY_COUNTRY="***"
export KEY_PROVINCE="***"
export KEY_CITY="***"
export KEY_ORG="***"
export KEY_EMAIL="***"
source ./vars   # 使变量生效
./easyrsa init-pki    #初始化 pki 相关目录
./easyrsa build-ca nopass  #生成 CA 根证书, 输入 Common Name，名字随便起。
./easyrsa build-server-full server nopass
./easyrsa gen-dh  #创建Diffie-Hellman，这可能得等一小会儿
openvpn --genkey --secret ta.key #creat tls key
mkdir /etc/openvpn/server/certs && cd /etc/openvpn/server/certs/
cp /etc/openvpn/easy-rsa/3/pki/dh.pem ./     # SSL 协商时 Diffie-Hellman 算法需要的 key
cp /etc/openvpn/easy-rsa/3/pki/ca.crt ./        # CA 根证书
cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt ./    # open VPN 服务器证书
cp /etc/openvpn/easy-rsa/3/pki/private/server.key ./   # open VPN 服务器证书 key
cp /etc/openvpn/easy-rsa/3/ta.key ./   # tls-auth key

config server.conf

port 1194   # 监听的端口号
proto udp   # 服务端用的协议，udp 能快点，所以我选择 udp
dev tun
ca /etc/openvpn/server/certs/ca.crt  #   CA 根证书路径
cert /etc/openvpn/server/certs/server.crt  # open VPN 服务器证书路径
key /etc/openvpn/server/certs/server.key  # open VPN 服务器密钥路径，This file should be kept secret
dh /etc/openvpn/server/certs/dh.pem  # Diffie-Hellman 算法密钥文件路径
tls-auth /etc/openvpn/server/certs/ta.key 0 #  tls-auth key，参数 0 可以省略，如果不省略，那么客户端
# 配置相应的参数该配成 1。如果省略，那么客户端不需要 tls-auth 配置
server 10.8.0.0 255.255.255.0   # 该网段为 open VPN 虚拟网卡网段，不要和内网网段冲突即可。open VPN 默认为 10.8.0.0/24
push "dhcp-option DNS 8.8.8.8"  # DNS 服务器配置，可以根据需要指定其他 ns
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"   # 客户端所有流量都通过 open VPN 转发，类似于代理开全局
compress lzo
duplicate-cn   # 允许一个用户多个终端连接
keepalive 10 120
comp-lzo
persist-key
persist-tun
user openvpn  # open VPN 进程启动用户，openvpn 用户在安装完 openvpn 后就自动生成了
group openvpn
log /var/log/openvpn/server.log  # 指定 log 文件位置
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
verb 3
explicit-exit-notify 1

start & Test The status

systemctl start openvpn@server
netstat -nlp                     #ensure The udp port 1194 be opening

config Client

client
proto udp
dev tun
remote ***.***.***.*** 1194
ca "C:\\path\\ca.crt"
#cert "C:\\path\\test.crt"
#key "C:\\path\\test.key"
tls-auth "C:\\path\\ta.key" 1
remote-cert-tls server
persist-tun
persist-key
comp-lzo
verb 3
cipher AES-256-CBC  
remote-cert-tls server  
comp-lzo
auth-user-pass  
auth-nocache
reneg-sec 0

now just for fun