These packer scripts effectively create the server as described in the tutorial Secure Openvpn wtih two-factor authentication from WiKID and an earlier tutorial on how to configure SSH to use pam-radius for two-factor authentication, both for Centos/RHEL 7. One benefit of using radius as a standard protocol is that all your users can be in the same directory. Instead of having two identity management services: SSH keys and OpenVPN certs, all your users can be in your directory.
First, download and install packer.
Download or checkout our packer scripts from github.
You will need to edit a few files before building. Note that the pam-radius shared object was compiled for Centos 7. It may not work on other versions. In particular, while we have the amazon-ebs builder, we couldn't find a centos 7 AMI to use.
Edit /rpms/server and change the line "192.168.1.102 secret 3" to reflect your RADIUS server and shared secret.
Edit /rpms/vars and enter in the information you want, in particular the fields for the certificate.
If you would like to pre-populate the server with authorized keys, add them to /rpms/authorized_keys.
You may wish to review the anaconda scripts in the http/ directory.
The real install work occurs in provisioners/openvpn.sh.
In centos-7-x86_64.json, edit the iso_url with the location and name of your Centos ISO file. On the next line, iso_checksum, enter the MD5 sum for that file. Change the ssh_password to something more secure.
Build the virtual appliances with this command:
packer build centos-7-x86_64.json
Note that you can add --only=virtualbox-iso or --only=vmware-iso to specify which to build. For example:
packer build --only=virtualbox-iso centos-7-x86_64.json
The output will be in a new directory called output-virtualbox-iso. Start Virtualbox or VMWare and impart the vmdk file from that directory. You will have to change networking to be bridged. You can check to see that Openvpn has started automatically by running:
netstat -anp | grep 1194
It should return a listener. Your virtual Openvpn server should be ready to go. The scripts create a client key in /etc/openvpn/easy-rsa/keys. Download ca.crt, client.crt and client.key to your local machine and put them in /etc/openvpn or the appropriate directory for your setup. Configure your client to connect to the IP address of your virtual server and you should be ready to go.
You need to configure the client to prompt for a password. Add "auth-user-pass" to client configuration file. Enter your username as listed in WiKID and your WiKID one-time passcode when prompted on the client. PAM-RADIUS will forward the authentication credentials to WiKID directly or through NPS or Freeradius depending on your configuration.
Update: We have added support for Digital Ocean! So go forth and create a two-factor ready OpenVPN droplet.