2FA/MFA OTP and pam_oath.so

Use this forum to share your network setup and what's been working for you.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
paulb-ovl
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 31, 2022 1:23 pm

2FA/MFA OTP and pam_oath.so

Post by paulb-ovl » Fri Sep 02, 2022 2:39 pm

I couldn't find much on using the OATH Toolkit with OpenVPN, so I took a dive into it myself.

I configured OpenVPN to auth with LDAP using the LDAP plugin, but also want to use an OTP. We're into Free and Open Source Software, so using an offering from Google isn't of interest.

We wanted a robust solution that stays online securely all day. It requires the user to authenticate with LDAP, have an OTP and valid client certificate.

This is what I came up with:

https://warlord0blog.wordpress.com/2022 ... a-and-pam/

Code: Select all

proto udp
port 1194
dev tun0
server 192.168.255.0 255.255.255.0
topology subnet

verb 2

user nobody
group nogroup

tls-server
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
crl-verify /etc/openvpn/crl.pem
# dh /etc/openvpn/pki/dh.pem
dh none
key /etc/openvpn/pki/private/server.key
key-direction 0
tls-auth /etc/openvpn/pki/ta.key

status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log

push "route 10.0.0.0 255.255.255.0"
push "route 128.0.0.0 128.0.0.0"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 10.0.0.254"
push "comp-lzo no"

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/server/auth/auth-ldap.conf

auth-gen-token 43200
auth-nocache
client-config-dir ccd
comp-lzo no
float
keepalive 10 60
#opt-verify
persist-key
persist-tun

cipher AES-256-GCM
ecdh-curve secp384r1
ncp-disable
remote-cert-tls client
tls-cert-profile preferred
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-version-min 1.2
verify-client-cert require
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "/etc/pam.d/openvpn login USERNAME password PASSWORD One-time OTP"
The /etc/pam.d/openvpn file is a simple one-liner.

Code: Select all

auth requisite pam_oath.so usersfile=/etc/users.oath window=30 digits=6
--
regards
PaulB

vince.ger
OpenVpn Newbie
Posts: 1
Joined: Wed Oct 16, 2024 12:27 pm

Re: 2FA/MFA OTP and pam_oath.so

Post by vince.ger » Wed Oct 16, 2024 12:35 pm

An old topic, but for those who would search for the same possibility, WebADM/OpenOTP is a alternative for implementing MFA with OpenOTP (community and entrerprise solution): https://www.rcdevs.com/products/openotp/ They also provide a mfavpn package which provides an openvpn server configured with MFA using Openotp.
It is however not open source, but free until 25 users, and can be also used for managing LDAP accounts.

Post Reply