Here are some pointers, but note that some information is out of date:
- Setup OpenVPN with Google Authenticator on Ubuntu 12.04 LTS server | Vorkbaard uit de toekomst (PDF copy of above)
The easy-rsa package is now separate from OpenVPN and is installed using “sudo apt-get install easy-rsa”.
Add the following line to the end of the server’s OpenVPN configuration file, which might be called server.conf:
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
To install Google Authenticator on the server, the instructions in the above link are outdated. Get the source from github.com. It’s called “google/google-authenticator”. I used “git clone” to get it:
% git clone https://github.com/google/google-authenticator
On Ubuntu, you’ll have to install the PAM development libraries before building:
% sudo apt-get install libpam-dev
The part you need on the server is in google-authenticator/libpam. Follow the instructions in the README in that directory to build and install it, ending with “sudo make install”. It installs the generated library in /usr/local/lib/security. Next, you need a PAM config file for OpenVPN. Create /etc/pam.d/openvpn with the following content:
@include common-account auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass
Then follow the remaining steps in the above article. One day, I’ll write it up more completely. Probably too late.