ProHoster > Two-factor authentication in OpenVPN with Telegram bot
Two-factor authentication in OpenVPN with Telegram bot
The article describes how to configure the OpenVPN server to enable two-factor authentication with a Telegram bot that will send a confirmation request upon connection.
OpenVPN is a well-known, free and open source VPN server that is widely used to provide employees with secure access to internal resources of an organization.
As an authentication for connecting to a VPN server, a combination of a key and a username / password is usually used. At the same time, the password saved on the client turns the entire set into a single factor that does not provide the proper level of security. An attacker, having gained access to a client computer, gains access to the VPN server as well. This is especially true for connecting from machines running Windows.
Using the second factor reduces the risk of unauthorized access by 99% and does not complicate the connection process for users at all.
Iβll make a reservation right away, for implementation you will need to connect a third-party multifactor.ru authentication server, in which you can use a free tariff for your needs.
Principle of operation
OpenVPN uses the openvpn-plugin-auth-pam plugin for authentication
The plugin checks the user's password on the server and requests the second factor via the RADIUS protocol in the Multifactor service
The multifactor sends a message to the user via Telegram bot with access confirmation
The user confirms the access request in the Telegram chat and connects to the VPN
Installing an OpenVPN Server
There are many articles on the Internet describing the process of installing and configuring OpenVPN, so we will not duplicate them. If you need help, there are several links to tutorials at the end of the article.
Multifactor setting
Go to Multifactor control system, go to Resources and create a new VPN.
After creation, two options will be available to you: NAS ID ΠΈ shared secret, they will be required for subsequent configuration.
In the "Groups" section, go to the "All users" group settings and uncheck the "All resources" flag so that only users of a certain group can connect to the VPN server.
Create a new group "VPN users", disable all authentication methods except Telegram, and specify that users have access to the created VPN resource.
In the "Users" section, create users who will have access to the VPN, add "VPN users" to the group, and send them a link to set up the second authentication factor. The user login must match the login on the VPN server.
Setting up an OpenVPN server
Open the file /etc/openvpn/server.conf and add a plugin for authentication using the PAM module
the first line connects the pam_radius_auth PAM module with parameters:
skip_passwd - disables transmission of the user's password to the Multifactor RADIUS server (he does not need to know).
client_id - replace [NAS-Identifier] with the corresponding parameter from the VPN resource settings.
All possible options are described in documentation for the module.
The second and third lines include a system check of the login, password and user rights on your server along with the second authentication factor.
Restart OpenVPN
$ sudo systemctl restart openvpn@server
Client setup
Include a username and password request in the client configuration file
auth-user-pass
inspection
Run the client for OpenVPN, connect to the server, enter your login and password. Telegram bot will receive an access request with two buttons
One button allows access, the second blocks.
Now you can safely save the password on the client, the second factor will reliably protect your OpenVPN server from unauthorized access.
If something doesn't work
Consistently check that you haven't missed anything:
There is a user with a password set on the server with OpenVPN
Access from the server via UDP port 1812 to the address radius.multifactor.ru
NAS-Identifier and Shared Secret parameters are correct
A user with the same login has been created in the Multifactor system and he has been granted access to the VPN user group
The user has configured the authentication method via Telegram