Google Authenticator, and (all?) other rotating-pin multi-factor authentication systems, rely on the clock on the token device (in this case your smart-phone or tablet) and the authenticating system (in this case the OpenVPN server). If the clocks are different by more than a few seconds or so, it will break your authentication.

NOTE: Differences in Time Zones don’t matter, the actual clock accuracy for the given time-zone does. But your authenticating device and your authenticating server can be set for two different time zones and that shouldn’t matter.

NTP is the answer. NTP stands for “Network Time Protocol” – you know, the army has a giant atomic clock that keeps perfect time and everyone can sync to it if they want… Similar idea. NTP servers offer a free service that allows other servers to sync their clocks to them. Out of the box, most cell phones and tablets already have this functionality built-in and working and periodically will adjust their clocks. But ubuntu (and probably many other linux distros) don’t necessarily have this service, or it doesn’t work as often as you might need it. (like it only checks at boot-up… and it is a linux server so honestly, how often is it really going to get rebooted?… I love linux…). So, doing a little work on the front-end might save you some head-scratching later on…

On your Ubuntu box we are going to install a simple time-sync tool which should do the trick. I am pulling this info from: https://help.ubuntu.com/13.10/serverguide/NTP.html. That guide is excellent and hits all the high points. If you want more info, check it out.

The only thing I would add is that prior to installing it you might want to force a manual sync of your server with this command:

sudo ntpdate ntp.ubuntu.com

ntpdate is the application that comes with ubuntu and performs a one-time sync at each bootup. The above command forces this app to perform an immediate manual sync with server ntp.ubuntu.com.

Once you have done that you can follow the ubuntu guide, or just look at the relevant commands I pulled from it below…

Here is the gist of it…

Install NTPD

sudo apt-get install ntp

and if you need to reload it at some point:

sudo service ntp reload

The configuration file is located at: /etc/ntp.conf if you have some need to make things harder than they need to be :)…. some odd situations actually may require some more configuration. I will note that when it comes to security some audits require that you sync all servers to ONLY an INTERNAL time server on your network. If that is the case, you can manually define what servers ntpd uses in the conf file and that would be a legitimate reason for toying about :).

Anyhow, it took me like 4 searches to find the info I needed on NTP (which is fairly simple stuff) and there is a lot of useless junk in the top Google search results so hopefully this will help some folks get where they are going a bit faster.

Cheers!

1 of 1

2 comments on: NTP is NECESSARY for OpenVPN + Google Authenticator to Work Reliably…

  1. jackie
    Reply

    Hey there! I just wanted to ask if you ever have any
    trouble with hackers? My last blog (wordpress) was hacked and I ended up losing many
    months of hard work due to no data backup. Do you have any
    methods to protect against hackers?

    • nbeam
      Reply

      Couple of thoughts…

      1. Good spam filters – keeps the spam user counts down automagically – this is a big one for several reasons – also keeps the spam comment count down.
      2. Update often – I keep WordPress core install up-to-date on a fairly regular schedule
      3. Frequent backups – I keep my site files and database backed up so that in the event that someone did get access and wipe stuff I could restore
      4. Keep it default – I run as few plugins as possible and make as few modifications to default code as possible. I have some CSS modifications to the default theme, that is the extent of it.
      5. Privileges management – Closely managing and monitoring privileged account creation and use and also using granular privileges if you need to allow some users the ability to do more than just read and comment.

      Those five things can/will prevent the bulk of attacks from being successful. If you are running something that needs to be “extra secure” using SSL to encrypt at least parts of the site also helps protect your authentication activity from eavesdropping (however this will also incur additional cost). If you need to be “extra extra” secure you can also look at allowing connections into the administrative section of the site via a specific list of IP’s and you can even go a step further and require that connection to work over a VPN. Also, not using FTP for file transfers (i.e. the default method for the auto-update system is FTP, however you can get plugins that let you use SFTP instead).

      I don’t believe in “un-hackable” systems but taking the precautions outlined above will prevent most hackers from getting in and breaking things. Most hacks are a result of some administrative laziness or ignorance unfortunately and I am sure I am liable of both :).

Join the discussion

Your email address will not be published. Required fields are marked *