Linux – Google-authenticator with openvpn – AUTH: Received control message: AUTH_FAILED


I'm trying to set up MFA with Google authenticator for my OpenVPN setup on Ubuntu 16.04. Now OpenVPN works fine until I bring Google Authenticator into the mix.

My server.conf file reads as follows:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
user nobody
group nogroup
status openvpn-status.log
log-append  openvpn.log
verb 3
plugin /usr/lib/openvpn/ openvpn
reneg-sec 0

My client.conf reads as follows:

dev tun
proto udp
remote 1194
resolv-retry infinite
user nobody
group nogroup
remote-cert-tls server
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
reneg-sec 0

Also, in /etc/pam.d I have cloned common-accounts to create an openvpn file with the following lines:

account requisite             
account required              
auth requisite  secret=/home/${USER}/.google_authenticator

Now I have created the necessary user profiles for each client connecting to the VPN server, say client1, client2 and client3 on Ubuntu. Now, consider client1 is trying to connect to the VPN server. I am logged in as client1 on the client side system, and try to connect to the VPN Server.

I get the following ,

Enter Auth Username: ******
Enter Auth Password: ************* ( Password for local user profile? + OTP)

After this point, I get

[server] Peer Connection Initiated with [AF_INET]
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
TCP/UDP: Closing socket
SIGTERM[soft,auth-failure] received, process exiting

Now I wasn't sure why I was getting the AUTH failed error. I had seen many different ways in which the username/password combination could be input during the process of connecting to the VPN server.

    Method 1 - username ; password (local account password + OTP)
    Method 2 - username ; password (local account password) +
               separate prompt section which asks for Google authenticator OTP
    Method 3 - username ; OTP

I was never prompted with a separate Google Authenticator prompt asking me for OTP separately. So I tried method 1 and tried method 2 expecting for a Google authenticator prompt which never showed up.

Question 1: What is the correct way to use Google Authenticator login credentials. Am I missing something here which might be why I do not get prompted for the OTP separately?

Another thing that I observed is that ,

sudo systemctl status openvpn@server

gives different results for the two login methods above.

I got these status messages while trying different combination of password + OTP combinations.

openvpn(pam_google_authenticator)[15305]: Invalid verification code
openvpn(pam_google_authenticator)[15305]: Did not receive verification code from user
openvpn(pam_google_authenticator)[15305]: Failed to compute location of secret file

Question 2: Can someone explain to me what these status messages mean in terms of my login inputs.

Question 3: How can I get the MFA up and running.

FYI I used libpam-google-authenticator. I did not follow the method which warranted using makefile and adding configuration parameters for pam.


Best Answer

Make sure the /home/user directory is at least +x so things can read the .google_authenticator file in the home directory.