client config

# base config
client
dev tun
proto udp
remote 192.168.1.122 1194
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
comp-lzo

# authentication config
ca ca.crt
cert shell.crt
key shell.key
ns-cert-type server
tls-auth ta.key 1
auth-user-pass

Group should be nogroup, not nobody in debian.

auth-user-pass is needed for google auth.

pam config

account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.so
account requisite           pam_deny.so
account required            pam_permit.so
auth required pam_google_authenticator.so

In /etc/pam.d/openvpn.

server config

# base config
port 1194
proto udp
dev tun
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log

# authentication config
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

# network config
server 10.55.66.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
duplicate-cn

Plugin should be /usr/lib/openvpn/openvpn-plugin-auth-pam.so in debian, “openvpn” behind is fit for the filename in /etc/pam.d/openvpn.

google authentication config

Look at this 在PAM中使用google authentication.

startup

shell@debws0:~$ sudo openvpn --config shell.conf
Fri Jan 24 11:17:17 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Nov 28 2013
Enter Auth Username:username
Enter Auth Password:
Enter Private Key Password:

The user you used to config google authentication is the username put into Auth Username.

Put verification code as Password, and you may have Private Key Password in your private key.

Have a fun.