We have a corporate VPN server running OpenVPN 2.3 on an AWS instance with Ubuntu 16.04 Xenial. The server has been configured using an Ansible playbook.
I'm planning to upgrade to Ubuntu 18.04 Bionic, which also upgrades OpenVPN to version 2.4 (this is a desired side effect, as OpenVPN 2.3 is getting deprecated). So I created a test instance with Bionic on it, and ran the Ansible playbook against it. The configuration includes MFA through Google Authenticator, so I also copied ~/.google_authenticator
file from the old server and applied chmod 400
to it.
There were also a couple of compatibility issues which I had to solved before the new server worked:
openvpn-plugin-auth-pam.so
file location has changed, and now its full path doesn't need to be specified in the server config.CAP_AUDIT_WRITE
permission missing inopenvpn
systemd service (see more details here)
However, even after that authentication still fails on the new server. Here's what my /etc/pam.d/openvpn
looks like:
auth required pam_google_authenticator.so
If I replace this line with auth required pam_permit.so
, I get successfully authenticated (with any password of course) and connected, so the problem is definitely where MFA steps in.
At the same time, pamtester
tells me that pam_google_authenticator.so
works fine:
$ sudo pamtester openvpn vlad authenticate
Verification code:
pamtester: successfully authenticated
Here's what I see in syslog when trying to authenticate to VPN server:
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: received command code: 0
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: USER: vlad
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
Aug 16 15:17:39 ip-10-7-0-230 openvpn[10873]: AUTH-PAM: BACKGROUND: user 'vlad' failed to authenticate: Authentication failure
In this thread I found a suggestion that the line in server config that calls auth-pam module should be changed from
plugin openvpn-plugin-auth-pam.so openvpn
to:
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"
However, neither of them seems to work - I still get "Authentication failure".
Interestingly, the same experiment with rebuilding the server on the base of Xenial worked - so the problem seems to be either in Ubuntu Bionic (some additional security features?) or in OpenVPN 2.4 (some compatibility issues).
Does anyone have any ideas how to fix this?
Update. Just tried adding nullok
to /etc/pam.d/openvpn
and deleting ~/.google_authenticator
file. Still fails, same error.
Ubuntu 18.04 and higher use a more strict sandboxing config in systemd which interferes with google-authenticator.
Simply edit
/lib/systemd/system/[email protected]
and remove this line:This is a newer feature of systemd that makes directories with 'user' content in them appear empty, for example
/home
,/root
, and/run/user
It's generally a good idea to enable this as
/home
often contains SSH and GPG keys, but in this case it prevents OpenVPN from reading the.google-authenticator
file in the users' home directory.More info: