Google Authenticator

[InnovativeInventor]

The only feature that is missing here is the ability to use Google Authenticator for two-step verification. Maybe this could be presented to the user as a choice? This would increase the security of an already extremely secure project.

[0-kaladin]

When I'm bored I could look into adding this https://github.com/evgeny-gridasov/openvpn-otp

I could see using this in an enterprise as you can set this up and not worry about users losing the cert password or letting the cert get out of their control. But this should mainly be used at a house with 1 person or a few. Remember the certificate with the ovpn profiles we generate are password protected. So if someone gets your cert, it is still an encrypted blob to them without also knowing your password. And once you know someone has your cert or you even suspect it may have been compromised you can revoke it and generate a new. On the flipside, lets say you use the same password everywhere so someone knows the password you probably used on your cert. Well they still can't get in without physically getting a copy of your cert.
What I'm getting at here is that we basically are on a 2 factor system already and you just wish another type, OTP, be employed. I'm just not sure it is really doing much to increase the security but rather just another option.

[artis3n]

To be clear, that is not a 2-factor system. Adding OTP would definitely increase the security of the certificate if it was compromised. There's currently only one factor in order to identify your ownership of the certificate.

[0-kaladin]

You are authenticating to the openvpn service with

1. Something you have (the cert)
2. Something you know (the password that encrypted the cert).

If the certificate is compromised there is nothing they can do without decrypting it with your password. So you have time to revoke the cert and generate/distribute new.
So I'd still argue OTP is no more secure than the current method, just another option.

[artis3n]

I see where you're coming from, although I don't agree that it doesn't provide any extra layers of security. I misspoke when I said that it wasn't a 2-factor system already, but adding OTP would add an additional layer.

[0-kaladin]

From what I understand it replaces a layer, does not go on top of. So it is use the certificate security OR use a username with OTP. I don't see it as any more secure at all then your own certs. Where I do see it have benefits is for those who maybe it would be painful managing the certs. If this is just you putting certs on your laptop and mobile then I would stick to certs. But if you are distributing certs to friends/family to use your vpn then it may make send to use OTP and not deal with the hassle of securely distributing the certificates.

[Neodog78]

Hello 0-kaladin,

I tried to Setup the Google Authenticator manually but unfortunately I'm not enough experienced :-(
Therefore I would really appreciate it if you could give me a hint.

I see the advantage regarding security that when you are infected by a key-logger the "Google Authenticator" created code is only 30 seconds valid. Therefore it could add a "little bit" more security compared to two statical values (cert and pw).

Regards
Neodog78

[VidiotGeek]

At some point, adding more & more layers of security begins to feel a bit masochistic. Especially when looking at the previous layers of security you already have. In theory, you're trying to put up as many hurdles as possible in the way of an attacker, but you have to jump through all those same hurdles. Eventually, good enough is good enough.

Having said that, I'm probably just enough obsessed with security to enable Google Authenticator if given the option. Or even a YubiKey. So, should you find yourself bored one day, count me as a plus 1.

[davglass]

I was able to setup DuoMobile pretty easily with this setup. Their documentation is pretty good.
https://duo.com/docs/openvpn

Basically I did this:

• Installed pivpn
• Cloned their repo, make && sudo make install for their plugin
• Created the app on their side
• Added reneg-sec 0 to the /etc/openvpn/server.conf
• Added the plugin definition from DuoMobile's docs with appid, secret and server.
• Manually add auth-user-pass & reneg-sec 0 to the generated ovpn file
• Add a phone to the Duo Mobile account
• Activate it
• Copied the ovpn file to my phone/tablet/desktop
• Done! Works like a charm!

[cben0ist]

I believe I figured our how to setup google authenticator along with pivpn (after a night of try and fail...).
Just leaving my notes here to share with everyone and hopefully confirm I did not make any mistake and potentially opened a huge security breach here ;)

1. Install libpam-google-authenticator and configure openvpn to use it

• Install google authenticator on the pi: sudo apt-get install libpam-google-authenticator
• sudo nano /etc/openvpn/server.conf and add plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn (to use google authenticator) and reneg-sec 0 (to not reconnect every x minutes as the password changes every few seconds)
• Create a pam.d openvpn profile sudo cp /etc/pam.d/common-account /etc/pam.d/openvpn
• Edit it sudo nano /etc/pam.d/openvpn to add these 2 lines at the end auth requisite pam_google_authenticator.so forward_pass and auth required pam_unix.so use_first_pass
• Now run sudo service openvpn restart to reload the conf change

2. Configure user profiles
   For this to work you will use system accounts (accounts you use to log to your raspberry like 'pi'). You can create as many account as you with the adduser command. For each pivpn user

• login as the user on the raspberry su - pi (replace pi with the actual username)
• run the google-authenticator command and follow the instructions (save the barcode url for next step)
• Executing google-authenticator adds a file .google_authenticator in the user’s home directory. This file must have no rights except read for the user sudo chmod 400 /home/pi/.google_authenticator (change pi with the correct username)
• create a pivpn account with the exact same name than the user and the nopass option: pivpn -a nopass Note: the username must be the same than the system account (pi for example)
• edit the freshly created user.ovpn file and add auth-user-pass (to tell the client to request username and password on connection) and reneg-sec 0 (to not reconnect every x minutes as the password changes every few seconds)

3. Setup your phone, your client and connect from an external network

• Install the google authenticator app on your phone and scan the barcode generated during the google-authenticator command (2) on the pi
• Setup your client (tested on windows and on iOS) with the new ovpn client file (pi.ovpn for example, created at the last step of (2)
• Connect using your pi account password followed by the 6 numbers generated by the google authenticator app on your phone at the same moment
  For example is your pi account password is "raspberry" (you should change it) then your password will be something like raspberry123456

Voila! Let me know if I missed anything (or did anything wrong) but that's how I got it working on my pi 2 with Raspbian Jessie.
I am still wondering if the nopass option on the pivpn creation account command is reasonable, if I set a password here (no nopass option) then I have to fill my certificate password 1st and then my pi password+the google authenticator numbers... All in all is it really adding security knowing I use the nopass option to create my user certificate ?
Credits to https://vorkbaard.nl/setup-openvpn-with-google-authenticator-on-ubuntu-12-04-lts-server/ where I found most of the solution...

[gittimm]

Thanks cben0ist,

I have been running pivpn for a little while now. I have just used your method to enable Google Authenticator which is exactly what I wanted. I followed your steps and it worked perfectly. Thanks for you efforts and for posting, I wouldn't have worked that out on my own!

Cheers,
GitTimm

[Astorek86]

Thanks cben0ist.

I struggled a bit on Raspbian Buster; found out it needs some more Modification to run PiVPN .

• For some reason, the File "openvpn-plugin-auth-pam.so" is not present in /usr/lib/openvpn, it's in another Directory. Even the Directory "/usr/lib/openvpn" doesn't exist on my System. I need to do the following:
  • Create the Directory: mkdir /usr/lib/openvpn
  • Make a Symlink: ln -s /usr/lib/arm-linux-gnueabihf/openvpn/plugins/openvpn-plugin-auth-pam.so /usr/lib/openvpn/
• You need the Modify a systemd-Configfile. It starts OpenVPN and has a BuiltIn-Protection to prevent Access to "/home"-Directories, which doesn't work on Google Authenticator. So you need to disable that specific Function:
  • Open /lib/systemd/system/openvpn@.service
  • Search for ProtectHome=true and change it to ProtectHome=false
  • Restart OpenVPN: systemctl restart openvpn (if that doesn't work, simply reboot your Raspberry Pi)

Now PiVPN + OTP should work even on Raspbian Buster^^.

[binaljui]

Im getting the User authentication failed error everytime i enter my password along with the token.... Can someone help please?

[corbolais]

While we're at it, I'd rather have a FIDO2 capable auth process. I heavily rely on FIDO2 USB sticks for added security. Just my 2¢ chipped in ;-)

Edit: Using PAM it's done:

• https://developers.yubico.com/yubico-pam/YubiKey_and_OpenVPN_via_PAM.html
• https://www.sparklabs.com/support/kb/article/yubikey-u2f-two-factor-authentication-with-openvpn-and-viscosity/