Google Authenticator #1389
Replies: 13 comments
-
When I'm bored I could look into adding this https://github.com/evgeny-gridasov/openvpn-otp I could see using this in an enterprise as you can set this up and not worry about users losing the cert password or letting the cert get out of their control. But this should mainly be used at a house with 1 person or a few. Remember the certificate with the ovpn profiles we generate are password protected. So if someone gets your cert, it is still an encrypted blob to them without also knowing your password. And once you know someone has your cert or you even suspect it may have been compromised you can revoke it and generate a new. On the flipside, lets say you use the same password everywhere so someone knows the password you probably used on your cert. Well they still can't get in without physically getting a copy of your cert. |
Beta Was this translation helpful? Give feedback.
-
To be clear, that is not a 2-factor system. Adding OTP would definitely increase the security of the certificate if it was compromised. There's currently only one factor in order to identify your ownership of the certificate. |
Beta Was this translation helpful? Give feedback.
-
You are authenticating to the openvpn service with
If the certificate is compromised there is nothing they can do without decrypting it with your password. So you have time to revoke the cert and generate/distribute new. |
Beta Was this translation helpful? Give feedback.
-
I see where you're coming from, although I don't agree that it doesn't provide any extra layers of security. I misspoke when I said that it wasn't a 2-factor system already, but adding OTP would add an additional layer. |
Beta Was this translation helpful? Give feedback.
-
From what I understand it replaces a layer, does not go on top of. So it is use the certificate security OR use a username with OTP. I don't see it as any more secure at all then your own certs. Where I do see it have benefits is for those who maybe it would be painful managing the certs. If this is just you putting certs on your laptop and mobile then I would stick to certs. But if you are distributing certs to friends/family to use your vpn then it may make send to use OTP and not deal with the hassle of securely distributing the certificates. |
Beta Was this translation helpful? Give feedback.
-
Hello 0-kaladin, I tried to Setup the Google Authenticator manually but unfortunately I'm not enough experienced :-( I see the advantage regarding security that when you are infected by a key-logger the "Google Authenticator" created code is only 30 seconds valid. Therefore it could add a "little bit" more security compared to two statical values (cert and pw). Regards |
Beta Was this translation helpful? Give feedback.
-
At some point, adding more & more layers of security begins to feel a bit masochistic. Especially when looking at the previous layers of security you already have. In theory, you're trying to put up as many hurdles as possible in the way of an attacker, but you have to jump through all those same hurdles. Eventually, good enough is good enough. Having said that, I'm probably just enough obsessed with security to enable Google Authenticator if given the option. Or even a YubiKey. So, should you find yourself bored one day, count me as a plus 1. |
Beta Was this translation helpful? Give feedback.
-
I was able to setup DuoMobile pretty easily with this setup. Their documentation is pretty good. Basically I did this:
|
Beta Was this translation helpful? Give feedback.
-
I believe I figured our how to setup google authenticator along with pivpn (after a night of try and fail...).
Voila! Let me know if I missed anything (or did anything wrong) but that's how I got it working on my pi 2 with Raspbian Jessie. |
Beta Was this translation helpful? Give feedback.
-
Thanks cben0ist, I have been running pivpn for a little while now. I have just used your method to enable Google Authenticator which is exactly what I wanted. I followed your steps and it worked perfectly. Thanks for you efforts and for posting, I wouldn't have worked that out on my own! Cheers, |
Beta Was this translation helpful? Give feedback.
-
Thanks cben0ist. I struggled a bit on Raspbian Buster; found out it needs some more Modification to run PiVPN .
Now PiVPN + OTP should work even on Raspbian Buster^^. |
Beta Was this translation helpful? Give feedback.
-
Im getting the User authentication failed error everytime i enter my password along with the token.... Can someone help please? |
Beta Was this translation helpful? Give feedback.
-
While we're at it, I'd rather have a FIDO2 capable auth process. I heavily rely on FIDO2 USB sticks for added security. Just my 2¢ chipped in ;-) Edit: Using PAM it's done: |
Beta Was this translation helpful? Give feedback.
-
The only feature that is missing here is the ability to use Google Authenticator for two-step verification. Maybe this could be presented to the user as a choice? This would increase the security of an already extremely secure project.
Beta Was this translation helpful? Give feedback.
All reactions