Server side configuration for OTP

Dockerfile

@@ -29,3 +29,6 @@ CMD ["ovpn_run"]
 
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
+
+# Add support for OTP authentication using a PAM module
+ADD ./otp/openvpn /etc/pam.d

bin/ovpn_genconfig

@@ -50,6 +50,7 @@ usage() {
     echo " -C    A list of allowable TLS ciphers delimited by a colon (cipher)."
     echo " -a    Authenticate  packets with HMAC using the given message digest algorithm (auth)."
     echo " -z    Enable comp-lzo compression."
+    echo " -2    Enable two factor authentication using Google Authenticator."
 }
 
 if [ "$DEBUG" == "1" ]; then
@@ -79,7 +80,7 @@ OVPN_AUTH=''
 [ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
 
 # Parse arguments
-while getopts ":a:C:T:r:s:du:cp:n:DNm:tz" opt; do
+while getopts ":a:C:T:r:s:du:cp:n:DNm:tz2" opt; do
     case $opt in
         a)
             OVPN_AUTH="$OPTARG"
@@ -126,6 +127,9 @@ while getopts ":a:C:T:r:s:du:cp:n:DNm:tz" opt; do
         z)
             OVPN_COMP_LZO=1
             ;;
+        2)
+            OVPN_OTP_AUTH=1
+            ;;
         \?)
             set +x
             echo "Invalid option: -$OPTARG" >&2
@@ -233,6 +237,12 @@ for i in "${OVPN_PUSH[@]}"; do
     echo push \"$i\" >> "$conf"
 done
 
+# Optional OTP authentication support
+if [ -n "$OVPN_OTP_AUTH" ]; then
+    echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
+    echo "plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
+fi
+
 set +e
 
 # Clean-up duplicate configs

otp/openvpn

@@ -0,0 +1,2 @@
+# Uses google authenticator library as PAM module using a single folder for all users tokens
+auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator