# cat /etc/pam.d/openvpn
auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-auth-users/${USER} user=root no_strict_owner echo_verification_code debug forward_pass
auth required pam_radius_auth.so debug use_first_pass
account required pam_permit.so debug
# tail -n 1 /etc/openvpn/multifactor.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
In the client I have:
auth-user-pass
auth-retry interact
ns-cert-type server
In the PAM file on the server, if I comment out pam_google_authenticator and I remove use_first_pass from the Radius module, then I can authenticate just fine against FreeRadius.
The problem is, I can't make it work with pam_google_authenticator. I've tried that module alone (without forward_pass, and commenting out the Radius module). I've tried it stacked with Radius as shown above. Nothing works.
All systems are synced via NTP.
The codes are generated with the Google Authenticator app on Android.
More details:
https://github.com/google/google-authenticator-libpam/issues/95Has anyone succeeded using Google Authenticator with openvpn and Tunnelblick?