diff --git a/roles/vpn/files/etc_pam.d_openvpn b/roles/vpn/files/etc_pam.d_openvpn new file mode 100644 index 00000000..6b8474e7 --- /dev/null +++ b/roles/vpn/files/etc_pam.d_openvpn @@ -0,0 +1 @@ +auth required pam_google_authenticator.so diff --git a/roles/vpn/tasks/openvpn.yml b/roles/vpn/tasks/openvpn.yml index 444037ee..f74dfe57 100644 --- a/roles/vpn/tasks/openvpn.yml +++ b/roles/vpn/tasks/openvpn.yml @@ -118,6 +118,10 @@ copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf notify: restart dnsmasq +- name: Copy OpenVPN PAM configuration file into place + copy: src=etc_pam.d_openvpn dest=/etc/pam.d/openvpn + notify: restart openvpn + - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }} with_nested: diff --git a/roles/vpn/templates/client.cnf.j2 b/roles/vpn/templates/client.cnf.j2 index caa35048..6f954159 100644 --- a/roles/vpn/templates/client.cnf.j2 +++ b/roles/vpn/templates/client.cnf.j2 @@ -14,5 +14,9 @@ cert client.crt key client.key ns-cert-type server tls-auth ta.key 1 + +# If you'd like to enable 2FA support, uncomment the following line +;auth-user-pass + comp-lzo verb 3 diff --git a/roles/vpn/templates/etc_openvpn_server.conf.j2 b/roles/vpn/templates/etc_openvpn_server.conf.j2 index 47292c3b..515f875e 100644 --- a/roles/vpn/templates/etc_openvpn_server.conf.j2 +++ b/roles/vpn/templates/etc_openvpn_server.conf.j2 @@ -31,6 +31,9 @@ # open up this port on your firewall. port {{ openvpn_port }} +# Uncomment the following line if you wish to enable PAM support for 2FA +;plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn + # TCP or UDP server? ;proto tcp proto {{ openvpn_protocol }}