Skip to content

Commit

Permalink
Optional 2FA support for OpenVPN (requires uncommenting on the server…
Browse files Browse the repository at this point in the history
… and pushing new client configs)
  • Loading branch information
jplock committed Mar 30, 2014
1 parent 3ea5e23 commit 921ae69
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 0 deletions.
1 change: 1 addition & 0 deletions roles/vpn/files/etc_pam.d_openvpn
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
auth required pam_google_authenticator.so
4 changes: 4 additions & 0 deletions roles/vpn/tasks/openvpn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,10 @@
copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
notify: restart dnsmasq

- name: Copy OpenVPN PAM configuration file into place
copy: src=etc_pam.d_openvpn dest=/etc/pam.d/openvpn
notify: restart openvpn

- name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
command: cp {{ openvpn_path }}/{{ item[1] }} {{ openvpn_path }}/{{ item[0] }}
with_nested:
Expand Down
4 changes: 4 additions & 0 deletions roles/vpn/templates/client.cnf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,9 @@ cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1

# If you'd like to enable 2FA support, uncomment the following line
;auth-user-pass

comp-lzo
verb 3
3 changes: 3 additions & 0 deletions roles/vpn/templates/etc_openvpn_server.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@
# open up this port on your firewall.
port {{ openvpn_port }}

# Uncomment the following line if you wish to enable PAM support for 2FA
;plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

# TCP or UDP server?
;proto tcp
proto {{ openvpn_protocol }}
Expand Down

0 comments on commit 921ae69

Please sign in to comment.