The article describes how to configure the OpenVPN server to enable two-factor authentication with a Telegram bot that will send a confirmation request upon connection.
OpenVPN is a well-known, free and open source VPN server that is widely used to provide employees with secure access to internal resources of an organization.
As an authentication for connecting to a VPN server, a combination of a key and a username / password is usually used. At the same time, the password saved on the client turns the entire set into a single factor that does not provide the proper level of security. An attacker, having gained access to a client computer, gains access to the VPN server as well. This is especially true for connecting from machines running Windows.
Using the second factor reduces the risk of unauthorized access by 99% and does not complicate the connection process for users at all.
Iβll make a reservation right away, for implementation you will need to connect a third-party multifactor.ru authentication server, in which you can use a free tariff for your needs.
Principle of operation
- OpenVPN uses the openvpn-plugin-auth-pam plugin for authentication
- The plugin checks the user's password on the server and requests the second factor via the RADIUS protocol in the Multifactor service
- The multifactor sends a message to the user via Telegram bot with access confirmation
- The user confirms the access request in the Telegram chat and connects to the VPN
Installing an OpenVPN Server
There are many articles on the Internet describing the process of installing and configuring OpenVPN, so we will not duplicate them. If you need help, there are several links to tutorials at the end of the article.
Multifactor setting
Go to , go to Resources and create a new VPN.
After creation, two options will be available to you: NAS ID ΠΈ shared secret, they will be required for subsequent configuration.
In the "Groups" section, go to the "All users" group settings and uncheck the "All resources" flag so that only users of a certain group can connect to the VPN server.
Create a new group "VPN users", disable all authentication methods except Telegram, and specify that users have access to the created VPN resource.
In the "Users" section, create users who will have access to the VPN, add "VPN users" to the group, and send them a link to set up the second authentication factor. The user login must match the login on the VPN server.
Setting up an OpenVPN server
Open the file /etc/openvpn/server.conf and add a plugin for authentication using the PAM module
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpnThe plugin can be located in the directory /usr/lib/openvpn/plugins/ or /usr/lib64/openvpn/plugins/ depending on your system.
Next, you need to install the pam_radius_auth module
$ sudo yum install pam_radiusOpen file for editing /etc/pam_radius.conf and specify the address of the RADIUS server of the Multifactor
radius.multifactor.ru shared_secret 40where:
- radius.multifactor.ru β server address
- shared_secret - copy from the corresponding VPN settings parameter
- 40 seconds - request timeout with a large margin
The remaining servers must be deleted or commented out (put a semicolon at the beginning)
Next create a file for service-type openvpn
$ sudo vi /etc/pam.d/openvpnand put in it
auth required pam_radius_auth.so skip_passwd client_id=[NAS-IDentifier]
auth substack password-auth
account substack password-auththe first line connects the pam_radius_auth PAM module with parameters:
- skip_passwd - disables transmission of the user's password to the Multifactor RADIUS server (he does not need to know).
- client_id - replace [NAS-Identifier] with the corresponding parameter from the VPN resource settings.
All possible options are described in .
The second and third lines include a system check of the login, password and user rights on your server along with the second authentication factor.
Restart OpenVPN
$ sudo systemctl restart openvpn@serverClient setup
Include a username and password request in the client configuration file
auth-user-passinspection
Run the client for OpenVPN, connect to the server, enter your login and password. Telegram bot will receive an access request with two buttons
One button allows access, the second blocks.
Now you can safely save the password on the client, the second factor will reliably protect your OpenVPN server from unauthorized access.
If something doesn't work
Consistently check that you haven't missed anything:
- There is a user with a password set on the server with OpenVPN
- Access from the server via UDP port 1812 to the address radius.multifactor.ru
- NAS-Identifier and Shared Secret parameters are correct
- A user with the same login has been created in the Multifactor system and he has been granted access to the VPN user group
- The user has configured the authentication method via Telegram
If you haven't set up OpenVPN before, read .
The instruction is made with examples on CentOS 7.
Source: habr.com