Authy Open VPN
With Authy OpenVPN plugin you can add Two-Factor Authentication to your vpn server in just minutes. This plugin supports certificate based authentication, PAM or LDAP.
With Authy your users can authenticate using Authy mobile app or a hardware dongle.
For hardware dongles, phone calls or LDAP please contact firstname.lastname@example.org
Using the source code
This is the recommended way of installing.
- Ubuntu: apt-get install build-essential - Centos: yum groupinstall 'Development Tools'
libcurl with SSL:
- Ubuntu: apt-get install libcurl4-openssl-dev - CentOS: yum install libcurl-devel.x86_64
Compiling and installing
Compile and install.
curl -L "https://github.com/authy/authy-openvpn/archive/master.tar.gz" -o authy-openvpn.tar.gz tar -zxvf authy-openvpn.tar.gz cd authy-openvpn-master make sudo make install
Get your free Authy API KEY from: https://www.authy.com/signup.
Finally configure the plugin.
Restart your server (see below).
Start adding users using
sudo authy-vpn-add-user(see below).
You need to copy the following dlls
Add the following line to your
plugin "C:\\Program Files\\OpenVPN\\bin\\authy-openvpn.dll" https://api.authy.com/protected/json AUTHY_API_KEY nopam
And create the
C:\\Program Files\\OpenVPN\\config, remember that the this file follows one of the following patterns
USERNAME COMMON_NAME AUTHY_ID
Remember that the last one is to also check the match between
reneg-sec 0 option in your OpenVPN configuration file. This will prevent the server from forcing renegotiation (and asking for a new Authy token).
Note that if your OpenVPN version is
<= 2.2 you need to set reneg-sec to a large value instead of 0.
Restarting your OpenVPN server
sudo service openvpn restart
CentOS and RedHat
/sbin/service openvpn restart
To add users make sure you have their cellphone numbers.
The Authy VPN plugin comes with a script, that helps you register users.
To start adding users type:
sudo authy-vpn-add-user sudo authy-vpn-add-user This script is to add users to Authy Open VPN For each user you will need to provide the vpn login, e-mail, country code and cellphone For PAM, login is the *nix login or your PAM login username. For certificate based Auth we recommend you use e-mails as the login. Login: email@example.com Email: firstname.lastname@example.org Country Code (EG. 1 for US): 1 Cellphone: 347-388-2229 Registering the user with Authy ... Success: User email@example.com was registered with AUTHY_ID 12323.
How Authy-VPN works
Authy stores it's configuration in the file
The files format is:
For example for
firstname.lastname@example.org it would look:
sudo cat /etc/openvpn/authy/authy-vpn.conf email@example.com 12323
When liz is login in, she will type
firstname.lastname@example.org as her username and the
token as the password.
You can edit this file by hand or using
With Certificates based Authentication
In this scenario user needs: username + certificate + token to login.
If you're already using certificates to authenticate your vpn users you won't need to regenerate them. All you have to do is edit '/etc/openvpn/authy/authy-vpn.conf' were you tell authy the users login and the AUTHY_ID.
Example authy-vpn.conf for a user joe with AUTHY_ID 10229
Here the user will enter
email@example.com as username and the
Token(which he gets from the app) as the password. The
certificate is transparently checked before this happens.
PAM based Auth
If you are using PAM before you can still use authy Two-Factor Authentication.
To use PAM simply answer that you are going to use PAM during the
After run the post-install script your server.conf should have the following lines:
# This line was added by the authy-openvpn installer plugin /usr/lib/authy/authy-openvpn.so https://api.authy.com/protected/json [YOUR_API_KEY] pam
Make sure your pam openvpn plugin is loaded after the authy openvpn plugin. Plugins are loaded in the order they appear in the config file, the result should look like:
# This line was added by the authy-openvpn installer plugin /usr/lib/authy/authy-openvpn.so https://api.authy.com/protected/json [YOUR_API_KEY] pam plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
Also your users will need to separate the password from the token during login by using a '-' character.
Example authy-vpn.conf for a user joe with AUTHY_ID 10229
Here joe is the PAM login username.
Let's suppose joe password is
god. So the user will enter
username. On the password field he will enter his password followed by a
- followed by the Authy Token.
1234567 would be the Authy Token and
god his password.
SMS and Phone Calls
To use SMS or Phone calls the user will have to enter
the password. The first authentication will fail. The user should then
wait for the SMS or Call to arrive and re-authenticate with the right
username and token.
auth#1: username: firstname.lastname@example.org password: sms auth#2: username: email@example.com password: 172839
Optional: Authy OpenVPN with Common Name Verification
Authy by default does not verify that the common name in the certificate matches the login. This means a user can logon with someone elses certificate and a different Two-Factor Auth login.
This normaly ok as most of the time all users in the VPN have the same privileges and routes. If this is not the case we suggest you verify the common name matches the Two-Factor login. This is accomplish by modifying authy-vpn.conf to add the common name to every login.
Example authy-vpn.conf for a user joe with Common Name joe1 and AUTHY_ID 10229
joe 10229 joe1
This will check that joe and the common name from the certificate (joe1) matches before proceding with the authentication.
VPN Client configuration for all users
Your users will need to add
client.conf. This is to ensure that the OpenVPN client asks
for username and password (this is where they enter the token).
Copyright (c) 2013-2020 Authy Inc.