Here are some pointers, but note that some information is out of date:

• https://vorkbaard.nl/setup-openvpn-with-google-authenticator-on-ubuntu-12-04-lts-server/
• Setup OpenVPN with Google Authenticator on Ubuntu 12.04 LTS server | Vorkbaard uit de toekomst (PDF copy of above)

The easy-rsa package is now separate from OpenVPN and is installed using “sudo apt-get install easy-rsa”.

Add the following line to the end of the server’s OpenVPN configuration file, which might be called server.conf:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

To install Google Authenticator on the server, the instructions in the above link are outdated.  Get the source from github.com. It’s called “google/google-authenticator”. I used “git clone” to get it:

% git clone https://github.com/google/google-authenticator

On Ubuntu, you’ll have to install the PAM development libraries before building:

% sudo apt-get install libpam-dev

The part you need on the server is in google-authenticator/libpam.  Follow the instructions in the README in that directory to build and install it, ending with “sudo make install”.  It installs the generated library in /usr/local/lib/security.  Next, you need a PAM config file for OpenVPN. Create /etc/pam.d/openvpn with the following content:

@include common-account
auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

Then follow the remaining steps in the above article.  One day, I’ll write it up more completely.  Probably too late.