Open in app

Sign in

Write

Sign in

CHR/MKT Openvpn 2FA with Freeradius and Google Authenticator.

Ezequiel Arielli
3 min readAug 19, 2019

--

Hello guys,

Today i will write about to configure Google Authenticator 2FA with OPENVPN in Mikrotik/CloudHostedRouter using FreeRadius and Linux PAM module.

www.itshellws.org

Requirements:

  • Mikrotik/CloudHostedRouter
  • VPN Openvpn
  • Ubuntu Instance(Freeradius)
  • Mobile Test

1- Install this packages in Ubuntu Server.

ubuntu@ip-10-0-9-99:~$ sudo apt-get update
ubuntu@ip-10-0-9-99:~$ sudo apt-get install freeradius libpam-google-authenticator -y

If you use Ubuntu 18 or Ubuntu 16 freeradius path is different:

Ubuntu 16: /etc/freeradius/Ubuntu 18: /etc/freeradius/3.0/

In my case I use Ubuntu 16

We’ll now need to find the lines user = and group =.
The default configuration is set to freerad. Change both of them to root.

ubuntu@ip-10-0-9-99:~$ sudo vi /etc/freeradius/radiusd.conf

Now you need comment the default configuration in this file:

ubuntu@ip-10-0-9-99:~$ sudo vi /etc/freeradius/users

Comment the lines simliar the video and add this configuration:

NAS-IP-Address == 1.1.1.1(YOU Mikrotik IP)

DEFAULT         Group == "radius-disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
   MikroTik-Group := "write"DEFAULT Auth-Type := Pam, NAS-IP-Address == 1.1.1.1
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    MikroTik-Group := "write"
ubuntu@/:~$ sudo vi /etc/freeradius/sites-enabled/default

Change the next lines:

# Pluggable Authentication Modules.
# pam

We now need to uncomment the pam line to enable it. It should look like this now:

# Pluggable Authentication Modules.
pam

Finally, the last FreeRADIUS config file that we need to change is the

/etc/freeradius/clients.conf

This is where we can set up our secret key that is used by the clients to connect to the RADIUS server.

Now you need configure GoogleAuthenticator PAM module in Freeradius

sudo vi /etc/pam.d/radiusd

Now you need enable Radius Server in CloudRouter/Mikrotik firewall.

# Secret configure in Freeradius Clients and Ubuntu Server IP-Address.

Now are ready to create a VPN USER and Google Authenticator Token/QR.

Ready to add token secret or QR in Google Authenticator.

Insert user password+GoogleAuthenticator

Insert password+GoogleAuthenticator

The connection is Succes you can check the Logs in FreeRadius Server

Later, you can create the users full automated with CI | We are use Jenkins .

Ubuntu
Openvpn
Mikrotik
AWS
Security

--

--

Ezequiel Arielli

Written by Ezequiel Arielli

41 Followers

DevOps SR | SRE @Miroculus.com San Francisco, CA www.itshellws.org

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams