Ubuntu: How to use Google Authenticator with OpenVPN server on Ubuntu 12.04


I have a working OpenVPN system on Ubuntu 12.04 and I'd like to add Google Authenticator for extra security.

This is my current openvpn config:

  dev tun  proto udp  port 1096  ca ubuserv04-ca.crt  cert ubuserv04.crt  key ubuserv04.key  dh dh1024.pem  server  push "redirect-gateway def1"  push "route"  push "dhcp-option DNS"  push "dhcp-option DNS"  float  log-append /var/log/openvpn-otp-1096-status.log  

(This is just a test setup, I know I should change certain aspects of it but this works for now.)

On the client I have:

  dev tun  client  proto udp  remote my.server.fqdn 1096  resolv-retry infinite  ca ubuserv04-ca.crt  cert user1.crt  key user1.key  verb 3  

The above setup works fine: no errors, fast, stable.

I've tried several howtos to get Google Authenticator running but I end up troubleshooting side problems in those articles every time. I don't want to authenticate against the server's local user/password database, just the system I already have in place plus Google Authenticator.

I have Google Authenticator running; I installed it using apt-get install libpam-google-authenticator and have used it before to authenticate ssh sessions. That worked fine but I have now disabled that because it's just a test server and that particular test was finished.

Please be specific. I know I should add a plugin to my server's ovpn config and that I should add something to /etc/pam.d/openvpn but what exactly?

Any help would be greatly appreciated!

/extra info

I've followed this article: http://www.howtoforge.com/securing-openvpn-with-a-one-time-password-otp-on-ubuntu Instead of compiling from the source I've installed Google Authenticator with apt-get install libpam-google-authenticator. I've also read, but not used in this case, these articles: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ and http://zcentric.com/2012/10/09/google-authenticator-with-openvpn-for-2-factor-auth/. And I've read up on PAM, as suggested ;)

Now, here are some interesting developmens.

/etc/pam.d/openvpn has this:

  account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so   account [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.so   account requisite           pam_deny.so  account required            pam_permit.so  auth required pam_google_authenticator.so  

As per the howto I copied the original from /etc/pam.d/common-account and added the last line. Now if I comment the last line out, the OpenVPN connection succeeds. If the last line is not commented out however, /var/log/auth.log logs this:

  PAM unable to dlopen(pam_google_authenticator.so): /lib/security/pam_google_authenticator.so: undefined symbol: pam_get_item  PAM adding faulty module: pam_google_authenticator.so  

and /var/log/openvpn-otp-1096.log logs this:

  PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so  TLS Auth Error: Auth Username/Password verification failed for peer  e-using SSL/TLS context  AUTH-PAM: BACKGROUND: user 'martin' failed to authenticate: Module is unknown  

The problem seems to be between PAM and Google Authenticator.

Google lists problems with other plugins but I can't really find information regarding Google Authenticator specifically.


Ok, Google is my friend.

I did this:

  # apt-get purge libpam-google-authenticator  # download https://code.google.com/p/google-authenticator/downloads/list  # apt-get install libpam-dev  

Add this to Makefile, right after the license:



  # make  # make install  # service openvpn restart  

Also, make sure /home/username/.google_authenticator has no rights at all except read rights for the user that's going to use it.

Now I need to enter my username that's my local username on the server (my shell account) as my OpenVPN username and the Google Authenticator 6-digit code as the password.

Now it works.

Thank you all for your time :)

(How can I mark this post as solved? Do I just edit the topic title?)


If you just want OTP auth for OpenVPN, there is a native OTP OpenVPN plugin available. It is compatible with Google Authenticator secret keys. All secrets are stored in a single text file and there is no need to configure PAM or create user directories.

Check it out: https://github.com/evgeny-gridasov/openvpn-otp

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »