With Go Authy OpenVPN plugin you can add two-factor authentication to your VPN server in just minutes. It is a replacement for officialAuthy OpenVPN plugin which isn't updated anymore and is lacking Authy OneTouch support.
- Authy API key
- OpenVPN server installation
- Download latestreleasefrom GitHub
- Extract tar archive in desired location on your server
- Run
post-install
script
- Install requirements: Golang, build essentials
- Run
sudo make install
Open your OpenVPN configuration file in your prefered editor.
If you allowedpost-instal
script from previous step to edit yourserver.conf
you should now have something like this at the end of it:
plugin <go-authy-path>/auth_script.so <go-authy-path>/go-authy-openvpn -a <authy_api_key>
If you don't have something like tihs in your configuration, you should add it manually.
In your OpenVPN you can add flags aftergo-authy-openvpn
to configure it. This are curretly supported flags:
-a
(required) Authy API key-c
(optional) Authy config file (default is/etc/openvpn/authy/authy-vpn.conf
)-g
(optional)GeoLite2city or country database path, if you want to have location displayed in OneTouch request
If you are already using officialAuthy OpenVPN pluginyou can
install this plugin with the steps above and then remove the old plugin from your OpenVPN server config.
This plugin uses the same format ofauthy-vpn.conf
so all your registered users will stay there.
This plugin comes with a script, that helps you register users.
To start adding users type:sudo authy-vpn-add-user
If the script was successful it will add username and Authy ID to/etc/openvpn/authy/authy-vpn.conf
.
This plugin works with certificates based authentication. To login the user need certificate, username and password.
Password can be 4 different things:
If the provided password isonetouch
the user will receive OneTouch push notification to Authy app where they can approve the login.
Password can be TOTP token from Authy app or token the user received through SMS or call.
If the password issms
orcall
the plugin will make a request for that to Authy and will fail the login.
Then the user will receive the token through SMS or call and will then use that token on next login.
Your users will need to add
auth-user-pass
to theirclient.conf
.