I wrote something in a previous life that could be hacked into submission for Raspberries, except it looks like IBM.com have removed it now. It still shows up in their search engine but the link has died.
There are so many use cases, it's hard to write one single how-to. Just in case:
Code: Select all
$ sudo apt-get install libpam-google-authenticator $ /usr/bin/google-authenticator --time-based --disallow-reuse --label="OVPN Roadwarriors" --rate-limit=3 --rate-time=30 --window-size=15 --secret=/etc/openvpn/roadwarriors/rw.totp $ grep -A5 plugin /etc/openvpn/roadwarriors.conf plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn-roadwarriors # TOTP challenge for roadwarriors. See /etc/pam.d/openvpn-roadwarriors # Login to enter from clients: any will do # Password: current TOTP code # TOTP secret shared by all roadwarriors users. # Certs are unique. $ cat /etc/pam.d/openvpn-roadwarriors # TOTP code auth to OpenVPN # Username: any will do account required pam_permit.so # Password: TOTP code only # The TOTP secret is the same for all users. Certs are unique. auth required pam_google_authenticator.so user=root secret=/etc/openvpn/roadwarriors/rw.totp # Log success/failure in /var/log/auth.log auth required pam_warn.so