I configured OpenVPN to auth with LDAP using the LDAP plugin, but also want to use an OTP. We're into Free and Open Source Software, so using an offering from Google isn't of interest.
We wanted a robust solution that stays online securely all day. It requires the user to authenticate with LDAP, have an OTP and valid client certificate.
This is what I came up with:
https://warlord0blog.wordpress.com/2022 ... a-and-pam/
Code: Select all
proto udp
port 1194
dev tun0
server 192.168.255.0 255.255.255.0
topology subnet
verb 2
user nobody
group nogroup
tls-server
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
crl-verify /etc/openvpn/crl.pem
# dh /etc/openvpn/pki/dh.pem
dh none
key /etc/openvpn/pki/private/server.key
key-direction 0
tls-auth /etc/openvpn/pki/ta.key
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
push "route 10.0.0.0 255.255.255.0"
push "route 128.0.0.0 128.0.0.0"
push "redirect-gateway def1 block-local"
push "dhcp-option DNS 10.0.0.254"
push "comp-lzo no"
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/server/auth/auth-ldap.conf
auth-gen-token 43200
auth-nocache
client-config-dir ccd
comp-lzo no
float
keepalive 10 60
#opt-verify
persist-key
persist-tun
cipher AES-256-GCM
ecdh-curve secp384r1
ncp-disable
remote-cert-tls client
tls-cert-profile preferred
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-version-min 1.2
verify-client-cert require
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "/etc/pam.d/openvpn login USERNAME password PASSWORD One-time OTP"
Code: Select all
auth requisite pam_oath.so usersfile=/etc/users.oath window=30 digits=6
regards
PaulB