The article describes the configuration of the OpenVPN server to enable two-factor authentication with the Telegram bot, which will send a confirmation message when connecting.
OpenVPN is a well-known, free open source VPN server that is widely used to organize secure access for employees to internal resources of the organization.
As an authentication to connect to a VPN server, a combination of a key and a user login / password is usually used. At the same time, the password stored on the client turns the entire set into a single factor that does not provide the proper level of security. An attacker, gaining access to a client computer, gains access to a VPN server as well. This is especially true for connecting from machines running Windows.
Using the second factor by 99% reduces the risk of illegal access and does not complicate the connection process for users.
Immediately make a reservation, for the implementation you will need to connect a third-party authentication server multifactor.ru, in which you can use a free tariff for your needs.
Principle of operation
- OpenVPN uses the openvpn-plugin-auth-pam plugin for authentication
- The plugin checks the user password on the server and requests the second factor via the RADIUS protocol in the Multifactor service
- The multifactor sends a message through the Telegram bot to the user with access confirmation
- User confirms access request in Telegram chat and connects to VPN
Install OpenVPN Server
There are many articles on the Internet that describe the process of installing and configuring OpenVPN, so we will not duplicate them. If you need help, there are several links to training materials at the end of the article.
Multifactor Setting
Go to the Multifactor management system , go to the "Resources" section and create a new VPN.
After creation, two parameters will be available to you: NAS-IDentifier and Shared Secret , they will be required for subsequent configuration.
"", "All users" " ", VPN .
"VPN users", Telegram , VPN.
"" , VPN, "VPN users" . VPN .
OpenVPN
/etc/openvpn/server.conf PAM
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
/usr/lib/openvpn/plugins/ /usr/lib64/openvpn/plugins/ .
pam_radius_auth
$ sudo yum install pam_radius
/etc/pam_radius.conf RADIUS
radius.multifactor.ru shared_secret 40
:
- radius.multifactor.ru —
- shared_secret — VPN
- 40 —
( )
service-type openvpn
$ sudo vi /etc/pam.d/openvpn
auth required pam_radius_auth.so skip_passwd client_id=[NAS-IDentifier]
auth substack password-auth
account substack password-auth
PAM pam_radius_auth :
- skip_passwd — RADIUS ( ).
- client_id — [NAS-Identifier] VPN .
.
, .
OpenVPN
$ sudo systemctl restart openvpn@server
auth-user-pass
OpenVPN, , . Telegram
, .
, OpenVPN .
-
, :
- On a server with OpenVPN there is a user with a password set
- Access from the server via UDP port 1812 to the address radius.multifactor.ru
- NAS-Identifier and Shared Secret parameters specified correctly
- A Multifactor system has a user with the same login and access to the VPN user group
- User configured authentication method via Telegram
If you have not previously configured OpenVPN, read the detailed article .
The instruction is made with examples on CentOS 7.