OpenVPN 2.4 + Google Authenticator = authentication failure

openvpn google-authenticator pam ubuntu-18.04

Ubuntu 18.04 and higher use a more strict sandboxing config in systemd which interferes with google-authenticator.

Simply edit /lib/systemd/system/[email protected] and remove this line:

[Service]
...
ProtectHome=true

This is a newer feature of systemd that makes directories with 'user' content in them appear empty, for example /home, /root, and /run/user

It's generally a good idea to enable this as /home often contains SSH and GPG keys, but in this case it prevents OpenVPN from reading the .google-authenticator file in the users' home directory.

More info:

  • https://www.redhat.com/sysadmin/mastering-systemd
  • https://github.com/google/google-authenticator-libpam/issues/98

Related

Is there a flexible calculator available that can walk you through complex SQL licensing? [duplicate]
Just how slow should my VPN be?
Static Addresses On DHCP Range
win32 openssh default shell wsl.exe command arguments
libvirt Windows 10 VM issue
Display html files with another file extension on Apache server
Can an aws instance fail? Do I need backups?
Is writing on NTFS partition from mac os considered safe now?
How many sites this web server can handle? [duplicate]
What is push email?
What should be considered when purchasing a virtual machine set up?
Lightest weight IMAP/POP3 server [closed]