Secure OpenVPN with two-factor authentication from WiKID on Centos 7

In a previous tutorial, we showed how to configure PAM-RADIUS to support two-factor authentication. Now, and in future tutorials, we will add remote access services to this server that will also use WiKID for two-factor authentication. In this tutorial, we will demonstrate how to leverage that setup to add two-factor authentication through radius to OpenVPN on Centos 7.

In addition to publishing this tutorial, we are also releasing packer scripts which can automatically build virtual appliances as described in this tutorial.

Install the software.

Start by installing the EPEL repository:

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm
rpm -ivh epel-release-7-1.noarch.rpm

Now install openvpn and easy-rsa:

yum install openvpn easy-rsa

Configure OpenVPN

Change to the sample directory and copy the sample configuration file to /etc/openvpn:

cd /usr/share/doc/openvpn-2.3.2/sample/
cp server.conf /etc/openvpn/fqdn.conf

where fqdn is that name of your server. It doesn't have to be the fully qualified domain name. You just use that to start it via systemctl.

Create new certificates

mkdir -p /etc/openvpn/easy-rsa/keys/p>
cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Edit your vars file, in particular the fields for the certificate. Then, run the certificate commands.

cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

Copy the resulting files into /etc/openvpn or edit the fqdn.conf file to reflect their location.

Create a client cert:

./build-key client

Edit the fqnd.conf file and add the following lines to the bottom:

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so sshd
client-cert-not-required
username-as-common-name

Configure Firewalld for Openvpn:

firewall-cmd --add-service openvpn
firewall-cmd --permanent --add-service openvpn
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade

Now, start openvpn:

systemctl start [email protected]
systemctl enable [email protected]

That's it. You should be able to download the client cert to your machine and test the login using your WiKID token. Note that you can run the openvpn server using 'openvpn /etc/openvpn/fqdn.conf' to troubleshoot. Same for the client.

 Client Configuration

On the client, simply add the line 'auth-user-pass' to the client configuration to force it to prompt for a password. Add "auth-user-pass" to client configuration file.  Enter your username as listed in WiKID and your WiKID one-time passcode when prompted on the client.  PAM-RADIUS will forward the authentication credentials to WiKID directly or through a radius server depending on your configuration.

Packer scripts

Packer is a tool that builds virtual appliances in various formats such as VirtualBox, VMware, EC2, Google Compute, etc.  Please see Build a 2FA-ready OpenVPN community virtual appliance for complete instructions.

Share this page:

1 Comment(s)