I'm not sure whether this will get much interest, but I have managed to setup my OpenVPN server to use 2 factor authentication via Google Authenticator. This is on an AC68U router. I thought I'd create this guide but most of the steps are from lancethepants, who was extremely helpful to me. This guide will assume that you are already using your jffs partition. I'm not sure whether you need entware installed but I have it installed anyway.
1) Install tomatoware (see http://www.linksysinfo.org/index.php?threads/tomatoware.69742/ ). In this example, tomatoware will be mounted to the /mmc directory and therefore uses the /mmc prefix.
2) mount tomatoware to the /mmc directory
3) Assuming entware is installed, replace /opt/etc/profile with /mmc/etc/profile and login again so that the profile can take effect
4) Install OpenVPN and compile.
5) Replace the default OpenVPN with the newly compiled version
6) Install Google Authenticator, download it from https://github.com/google/google-authenticator.git and extract it somewhere on the router.
7) Install libqrencode to generate QR codes. This can be skipped if you want to enter the secret manually.
8) Create a new user for 2 factor OpenVPN access. Here is an example user 'user' with the password 'password'
The easiest way to use a different password is to change the admin password via the webgui and then copy the encrypted password from /etc/shadow.
9) Create the following directory /mmc/etc/pam.d and in this new directory create a file called 'openvpn' with the following contents
10) Create the google authenticator file
11) Add the following to the server custom configuration in the webgui
12) Reboot router and you should be good to go!
When configuring the OpenVPN server in the webgui, make sure Username/Password authentication is set to 'No' and then add
username: user
password: password######
Where ###### are the digits from the authenticator app.
Hopefully this is of some use to someone and as a side note, once this is implemented, it is pretty straightforward to add 2 factor authentication to SSH.
1) Install tomatoware (see http://www.linksysinfo.org/index.php?threads/tomatoware.69742/ ). In this example, tomatoware will be mounted to the /mmc directory and therefore uses the /mmc prefix.
You can download the releases from
but unfortunately lance has only compiled it for /jffs and /opt. If you require different prefixes (I use /mmc) you can compile it yourself or I can upload it somewhere.
2) mount tomatoware to the /mmc directory
This command can be added to the post-mount script in /jffs/scripts to auto mount on startup.
3) Assuming entware is installed, replace /opt/etc/profile with /mmc/etc/profile and login again so that the profile can take effect
4) Install OpenVPN and compile.
5) Replace the default OpenVPN with the newly compiled version
This can be added to /jffs/scripts/services-start to automatically use the new version on startup.
6) Install Google Authenticator, download it from https://github.com/google/google-authenticator.git and extract it somewhere on the router.
7) Install libqrencode to generate QR codes. This can be skipped if you want to enter the secret manually.
8) Create a new user for 2 factor OpenVPN access. Here is an example user 'user' with the password 'password'
This can be added to /jffs/scripts/passwd.postconf and shadow.postconf to add the user automatically on reboot.
The easiest way to use a different password is to change the admin password via the webgui and then copy the encrypted password from /etc/shadow.
9) Create the following directory /mmc/etc/pam.d and in this new directory create a file called 'openvpn' with the following contents
In this case, the .google_authenticator file will be stored in the user's home directory, which is /opt (see step 8).
10) Create the google authenticator file
Follow the prompts and scan the QR code or enter the secret into your authenticator app.
11) Add the following to the server custom configuration in the webgui
12) Reboot router and you should be good to go!
When configuring the OpenVPN server in the webgui, make sure Username/Password authentication is set to 'No' and then add
to the config file generated by the router. When logging into the VPN server, using the example here:
username: user
password: password######
Where ###### are the digits from the authenticator app.
Hopefully this is of some use to someone and as a side note, once this is implemented, it is pretty straightforward to add 2 factor authentication to SSH.
