OpenVPN配置Google Authenticator MFA认证

一：安装并配置认证模块

#安装openvpn-plugin-auth-pam插件,下载对应版本的openvpn源码

wget https://swupdate.openvpn.net/community/releases/openvpn-2.4.12.tar.gz

#解压,并安装插件

tar -zxvf openvpn-2.4.12.tar.gz

cd openvpn-2.4.12

./configure

cd src/plugins/auth-pam

make && make install

#安装epel源

yum -y install epel-release 

#安装Google authenticator

yum install google-authenticator

#创建google auth目录

mkdir /etc/google-auth

#配置pam

vim /etc/pam.d/openvpn

auth requisite /lib/security/pam_google_authenticator.so secret=/etc/google-auth/${USER} user=root

account  required  pam_permit.so

#配置openvpn 增加auth插件

vim /etc/openvpn/server.conf

plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

auth SHA256

完成后重启openVPN

二：创建MFA用户

#进入创建openVPN文件夹

cd /etc/openvpn/

#执行adduser.sh脚本，后面加上用户名

sh adduser.sh username

#adduser.sh

#/bin/bash
echo "HOTP/T30 $1 - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >>/etc/openvpn/users/user.txt
id=`cat /etc/openvpn/users/user.txt |grep -w $1 |awk '{print $4}' |xargs oathtool --totp -v $() |grep Base |awk -F= '{print $1}' |awk '{print $3}'`
echo $id
qrencode -t ANSIUTF8 "otpauth://totp/$1@openvpn?secret=$id"
echo "$id" >>/etc/google-auth/$1
echo -e '
" RATE_LIMIT 3 30 1731655555 1731655577
" WINDOW_SIZE 17
" TOTP_AUTH ' >>/etc/google-auth/$1
chmod 600 /etc/google-auth/$1

将上方生成的MFA二维码及ovpn文件发送给用户，导入后即可正常连接

连接时提示输入账号密码，账号为adduser脚本后携带的用户名，密码为MFA软件生成的随机密码