OpenVPN with multi-factor authentication on EC2 Published June 16, 2012 This is a brief illustration of how to setup OpenVPN with Multi Factor Authentication (using Duo Security), SSL Certificates, and TLS validation. For now I’m only offering the server and client configs. Please leave a comment if any of this needs clarification. First, a very fast and minimal setup is detailed here: http://holgr.com/blog/2009/06/setting-up-openvpn-on-amazons-ec2/ The holgr.com setup is convenient yet doesn’t offer much in the way of security. The configuration which follows is more elaborate, using certs, MFA and TLS. On linux host: /etc/sysctl.conf net.ipv4.ip_forward = 1 —————————————– Also, for added security, use tls-auth: http://openvpn.net/index.php/open-source/documentation/howto.html#security And MFA from duosecurity: http://www.duosecurity.com/docs/openvpn /etc/sysconfig/iptables # # # *nat :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE COMMIT # # Server Config /etc/openvpn/server.conf # # port 1194 proto udp dev tun # ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 10.8.0.0 255.255.255.0 push redirect-gateway keepalive 10 120 comp-lzo max-clients 3 persist-key persist-tun status openvpn-status.log verb 3 push dhcp-option DNS 8.8.8.8 # # http://www.duosecurity.com/docs/openvpn # plugin /opt/duo/duo_openvpn.so DIBWYZCUWKFPEBW4X9BD QHuxkKgfanBliCOpp2LFFCdIRbdwm8GHdMdAvlsp api-4fe8e0a1.duosecurity.com # # reneg-sec 0 # # Client Config /Users//Library/Application Support/Tunnelblick/Configurations # # client dev tun proto udp remote vpn.holdharmless.me 1194 resolv-retry infinite nobind persist-key persist-tun ca keys/ca.crt cert keys/client1.crt key keys/client1.key ns-cert-type server comp-lzo verb 3 # auth-user-pass reneg-sec 0