I've enabled GA for my server and it worked well with the OpenVPN client v2.3.2 on Linux. And was checking a one-time password from GA:
Code: Select all
$ sudo openvpn --config dev.ovpn
Tue Jul 24 19:54:52 2018 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Enter Auth Username:test
Enter Auth Password:
CHALLENGE: Enter Google Authenticator Code
Response:218795
Tue Jul 24 19:55:09 2018 Control Channel Authentication: tls-auth using INLINE static key file
Tue Jul 24 19:55:09 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 24 19:55:09 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
.....................
Now it doesn't check a one-time password. You can just put enter and connect to the server.
Code: Select all
$ sudo openvpn --config dev.ovpn
[sudo] password for siamion:
Wed Jul 25 11:17:15 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Wed Jul 25 11:17:15 2018 library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Enter Auth Username:alpha
Enter Auth Password:
CHALLENGE: Enter Google Authenticator Code
Wed Jul 25 11:17:37 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Wed Jul 25 11:17:37 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 25 11:17:37 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
.......................
OpenVPN client is v.2.4.6.
OpenVPN AS server is v.2.5.
Client config:
Code: Select all
cipher AES-256-CBC
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 443 tcp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
remote dev.example.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
static-challenge "Enter Google Authenticator Code" 1
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
key-direction 1
auth SHA256
Code: Select all
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 TLS: Initial packet from [AF_INET]192.168.1.10:42050 (via [AF_INET]10.1.0.100%eth0), sid=54a6e68d 5abac6d5'
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 VERIFY OK: depth=1, /CN=OpenVPN CA'
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 VERIFY OK: nsCertType=CLIENT'
2018-07-25 10:45:35+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:35 2018 192.168.1.10:42050 VERIFY OK: depth=0, /CN=test'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_VER=2.4.6'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_PLAT=linux'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_PROTO=2'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_NCP=2'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_LZ4=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_LZ4v2=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_LZO=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_COMP_STUB=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_COMP_STUBv2=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_TCPNL=1'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_HWADDR=44:8a:5b:62:6d:f0'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 peer info: IV_SSL=OpenSSL_1.0.1f_6_Jan_2014'
2018-07-25 10:45:36+0000 [-] AUTH SUCCESS {'status': 0, 'reason': 'PAM auth succeeded', 'serial_list': [], 'user': u'test', 'proplist': {u'pvt_google_auth_secret_locked': u'true', u'prop_autogenerate': 'true', 'prop_deny': 'false', u'pvt_google_auth_secret': '[redacted]', u'prop_superuser': 'true', u'pvt_password_digest': '[redacted]', u'type': u'user_compile'}, 'common_name': u'test', 'serial': '18'} cli=u'linux'/u'2.4.6'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:36 2018 MANAGEMENT: CMD 'client-auth 6 0'"
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 192.168.1.10:42050 [test] Peer Connection Initiated with [AF_INET]192.168.1.10:42050 (via [AF_INET]10.1.0.100%eth0)'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 test/192.168.1.10:42050 OPTIONS IMPORT: compression parms modified'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 test/192.168.1.10:42050 MULTI: Learn: 10.1.1.122 -> test/192.168.1.10:42050'
2018-07-25 10:45:36+0000 [-] OVPN 1 OUT: 'Wed Jul 25 10:45:36 2018 test/192.168.1.10:42050 MULTI: primary virtual IP for test/192.168.1.10:42050: 10.1.1.122'
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 SENT CONTROL [test]: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-tokenSESS_ID,comp-lzo yes,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 10.1.1.1,route 10.1.0.0 255.255.248.0,block-ipv6,ifconfig 10.1.1.122 255.255.255.128,peer-id 0,cipher AES-256-GCM' (status=1)"
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 Data Channel: using negotiated cipher 'AES-256-GCM'"
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key"
2018-07-25 10:45:37+0000 [-] OVPN 1 OUT: "Wed Jul 25 10:45:37 2018 test/192.168.1.10:42050 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key"