CHR/MKT Openvpn 2FA with Freeradius and Google Authenticator.

Ezequiel Arielli
Aug 19 · 3 min read

Hello guys,

Today i will write about to configure Google Authenticator 2FA with OPENVPN in Mikrotik/CloudHostedRouter using FreeRadius and Linux PAM module.

www.itshellws.org

Requirements:

  • Mikrotik/CloudHostedRouter
  • VPN Openvpn
  • Ubuntu Instance(Freeradius)
  • Mobile Test

1- Install this packages in Ubuntu Server.

ubuntu@ip-10-0-9-99:~$ sudo apt-get update
ubuntu@ip-10-0-9-99:~$ sudo apt-get install freeradius libpam-google-authenticator -y

If you use Ubuntu 18 or Ubuntu 16 freeradius path is different:

Ubuntu 16: /etc/freeradius/Ubuntu 18: /etc/freeradius/3.0/

In my case I use Ubuntu 16

We’ll now need to find the lines user = and group =.
The default configuration is set to freerad. Change both of them to root.

ubuntu@ip-10-0-9-99:~$ sudo vi /etc/freeradius/radiusd.conf

Now you need comment the default configuration in this file:

ubuntu@ip-10-0-9-99:~$ sudo vi /etc/freeradius/users

Comment the lines simliar the video and add this configuration:

NAS-IP-Address == 1.1.1.1(YOU Mikrotik IP)

DEFAULT         Group == "radius-disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
MikroTik-Group := "write"
DEFAULT Auth-Type := Pam, NAS-IP-Address == 1.1.1.1
Service-Type = Framed-User,
Framed-Protocol = PPP,
MikroTik-Group := "write"
ubuntu@/:~$ sudo vi /etc/freeradius/sites-enabled/default

Change the next lines:

# Pluggable Authentication Modules.
# pam

We now need to uncomment the pam line to enable it. It should look like this now:

# Pluggable Authentication Modules.
pam

Finally, the last FreeRADIUS config file that we need to change is the

/etc/freeradius/clients.conf

This is where we can set up our secret key that is used by the clients to connect to the RADIUS server.

Now you need configure GoogleAuthenticator PAM module in Freeradius

sudo vi /etc/pam.d/radiusd

Now you need enable Radius Server in CloudRouter/Mikrotik firewall.

# Secret configure in Freeradius Clients and Ubuntu Server IP-Address.

Now are ready to create a VPN USER and Google Authenticator Token/QR.

Ready to add token secret or QR in Google Authenticator.

Insert user password+GoogleAuthenticator

Insert password+GoogleAuthenticator

The connection is Succes you can check the Logs in FreeRadius Server

Later, you can create the users full automated with CI | We are use Jenkins .

Ezequiel Arielli

Written by

DevOps SR | SRE @Miroculus.com San Francisco, CA www.itshellws.org

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade