google authenticator with OpenVPN Access Server - Amazon AWS

[treddy]

Hi Guys,

I've installed OpenVPN Access Server AMI in Amazon Cloud ( as per instructions http://openvpn.net/index.php/access-ser ... r-ami.html) and have successfully established a tunnel to my AWS account using OpenVPN Client.

so far so good.

What I wish to do now is used google authenticator with the OpenVPN Client when logging in.

I've update /etc/pam.d/openvpnas with the following:

Code: Select all

auth    required                        pam_google_authenticator.so

I have also logged on to my OpenVPN Access Server and enabled PAM under the Authentication section.

When I attempt to re-login to OpenVPN Access Server using username / password+google OTP I get an "Incorrect login" message.

The following message is being logged in /etc/log/openvpnas.log

Oct 17 14:40:58 ip-10-78-0-247 openvpnas(pam_google_authenticator)[776]: Invalid verification code
Oct 17 14:40:58 ip-10-78-0-247 python[776]: pam_unix(openvpnas:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=USER1


Just wondering, am I using the correct format for logging in (i.e. username / password+google OTP )
Also, could anyone suggest some documentation / tutorials on using OpenVPN Access Server + google authenticator?
any help with solving this issue would be greatly appreciated,
Thanks - Tom

[macropin]

I'm bumping this in the hope that someone here can respond to the OP's request and document what they've done to set this up successfully on any distro. Inc OpenVPN config (plugin line), Pam config, and the version of Google Authenticator used.

It seems this is not officially documented anywhere, and the information available online is incomplete.

I've been trying to set this up on CentOS 6, but have not had much success either.

[macropin]

Bumping.

I'm having the same issue here. Can someone please post working configs. It seems documentation online is lacking.

[macropin]

Success. I have this working for CentOS 6, which should be very similar to Amazon AWS. But until my account is unmoderated I'm not going to post anymore here.

(I previously wrote a nice long post, explaining how I did this but due to the session timing out my post was lost.)

[odoisneau]

If anyone has any input on the answer to this posting, I would really appreciate it.

Thanks,

[odoisneau]

so if anyone has the same issue with this, I found the solution is to comment out all the entries in the /etc/pam.d/openvpnas entries that start with @. The rest is following the documentation but I hope that helps someone.