
Enable Two-Factor Auth on your VPN. - danielpal
http://blog.authy.com/openvpn
======
davemtl
I've been doing this for a while using the Google Authenticator PAM plugin[1].
I use the same module to add two factor authentication to both SSH and OpenVPN
connections.

[1] [http://code.google.com/p/google-
authenticator/](http://code.google.com/p/google-authenticator/)

~~~
daemon13
Can you share some "how to" pointers - may be a blog post describing how to do
this?

~~~
davemtl
Real quick and dirty. But you should be able to get it to work from these
notes. Be warned, I don't go into how to set-up OpenVPN. You can find
documentation for OpenVPN at [http://openvpn.net/index.php/open-
source/documentation/howto...](http://openvpn.net/index.php/open-
source/documentation/howto.html)

You'll need to install Google Authenticator on your phone to complete the set-
up.

Here are my notes: [https://invaliddomain.com/openvpn-google-auth-
howto.txt](https://invaliddomain.com/openvpn-google-auth-howto.txt) (please
excuse the lack of a real SSL cert).

Once enabled, your password becomes <password><OTP> .. e.g. Pa55w0rd!987654

Hope that helps.

------
molf
Better yet, use passwords plus client side certificates. It prevents these
scenarios without requiring you to trust a third party with your two-factor
authentication tokens.

------
teraflop
Or, if you want to do the same thing without trusting the security of your VPN
to a third party, and you're willing to do a little more fiddling with
configuration files, you can just use libpam-google-authenticator:
[http://www.howtoforge.com/securing-openvpn-with-a-one-
time-p...](http://www.howtoforge.com/securing-openvpn-with-a-one-time-
password-otp-on-ubuntu)

~~~
dcu
You are only trusting the half of the security which is better IMHO. The evil
person would need to hack/steal both you and the (likely more careful) third
party in order to access your accounts. In your scenario it would only need to
hack you to get everything.

