OpenVPN with multi-factor authentication on EC2

This is a brief illustration of how to setup OpenVPN with Multi Factor Authentication (using Duo Security), SSL Certificates, and TLS validation. For now I’m only offering the server and client configs. Please leave a comment if any of this needs clarification.

First, a very fast and minimal setup is detailed here:
http://holgr.com/blog/2009/06/setting-up-openvpn-on-amazons-ec2/

The holgr.com setup is convenient yet doesn’t offer much in the way of security. The configuration which follows is more elaborate, using certs, MFA and TLS.

On linux host:

/etc/sysctl.conf
net.ipv4.ip_forward = 1

—————————————–
Also, for added security, use tls-auth:

http://openvpn.net/index.php/open-source/documentation/howto.html#security

And MFA from duosecurity:

http://www.duosecurity.com/docs/openvpn

/etc/sysconfig/iptables
#
#
#
*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE
COMMIT

#
# Server Config /etc/openvpn/server.conf
#
#
port 1194
proto udp
dev tun
#
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem

server 10.8.0.0 255.255.255.0

push redirect-gateway

keepalive 10 120
comp-lzo
max-clients 3
persist-key
persist-tun
status openvpn-status.log
verb 3

push dhcp-option DNS 8.8.8.8

#
# http://www.duosecurity.com/docs/openvpn
#
plugin /opt/duo/duo_openvpn.so DIBWYZCUWKFPEBW4X9BD QHuxkKgfanBliCOpp2LFFCdIRbdwm8GHdMdAvlsp api-4fe8e0a1.duosecurity.com
#
#
reneg-sec 0

#
# Client Config /Users//Library/Application Support/Tunnelblick/Configurations
#
#
client
dev tun
proto udp
remote vpn.holdharmless.me 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
ns-cert-type server
comp-lzo
verb 3
#
auth-user-pass
reneg-sec 0