diff --git a/Dockerfile b/Dockerfile index 8f6997d..c341480 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,3 +29,6 @@ CMD ["ovpn_run"] ADD ./bin /usr/local/bin RUN chmod a+x /usr/local/bin/* + +# Add support for OTP authentication using a PAM module +ADD ./otp/openvpn /etc/pam.d \ No newline at end of file diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index a809260..9500493 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -50,6 +50,7 @@ usage() { echo " -C A list of allowable TLS ciphers delimited by a colon (cipher)." echo " -a Authenticate packets with HMAC using the given message digest algorithm (auth)." echo " -z Enable comp-lzo compression." + echo " -2 Enable two factor authentication using Google Authenticator." } if [ "$DEBUG" == "1" ]; then @@ -79,7 +80,7 @@ OVPN_AUTH='' [ -r "$OVPN_ENV" ] && source "$OVPN_ENV" # Parse arguments -while getopts ":a:C:T:r:s:du:cp:n:DNm:tz" opt; do +while getopts ":a:C:T:r:s:du:cp:n:DNm:tz2" opt; do case $opt in a) OVPN_AUTH="$OPTARG" @@ -126,6 +127,9 @@ while getopts ":a:C:T:r:s:du:cp:n:DNm:tz" opt; do z) OVPN_COMP_LZO=1 ;; + 2) + OVPN_OTP_AUTH=1 + ;; \?) set +x echo "Invalid option: -$OPTARG" >&2 @@ -233,6 +237,12 @@ for i in "${OVPN_PUSH[@]}"; do echo push \"$i\" >> "$conf" done +# Optional OTP authentication support +if [ -n "$OVPN_OTP_AUTH" ]; then + echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf" + echo "plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn" >> "$conf" +fi + set +e # Clean-up duplicate configs diff --git a/otp/openvpn b/otp/openvpn new file mode 100644 index 0000000..754fd99 --- /dev/null +++ b/otp/openvpn @@ -0,0 +1,2 @@ +# Uses google authenticator library as PAM module using a single folder for all users tokens +auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator \ No newline at end of file