In a recent post, we did a step by step on installing OpenVPN to an Ubuntu server 12.04/14.04. https://www.slsmk.com/getting-started-with-openvpn/
I also showed you how to have OpenVPN Auth using only ID and Password. You need to complete this setup before you can do two-factor auth. https://www.slsmk.com/getting-started-with-openvpn/openvpn-with-id-and-password-authentication-on-ubuntu/
In a Two Factor Authentication Solution, the client would need a valid Cert and a valid id/pw on the host system. This is more secure than either of the 2 previous examples.
To get the OpenVPN server to use both id/pw and check for a valid cert, just comment out the following line in /etc/openvpn/server.conf
;Change client-cert-not-required ;to ;client-cert-not-required
The client will have to have been issued a valid certificate from the OpenVPN CA. This is done on the server, not on the client because the server’s CA needs to sign the key. Also, the client cert process will prompt you for a client cert password. You need to give this to the client along with the cert.
cd /etc/openvpn/easy-rsa/ source vars ./pkitool client-name
Those commands will create new files int the easy-rsa/keys directory called client-name.crt and client-name.key (client-name.csr is the text request and can be ignored/deleted). These 2 files need to be copied out the client, along with the server ca.crt and the ta.key (the ta.key is used if TLS is enabled in server conf).
Copy these files to the client:
These files need to be copied to the client and placed in the proper folder. For a linux client, this would usually be the /home/folder for the user. For windows based machines, this would be in the openvpn client install folder where the profiles are stored.
Restart openvpn service on the host then give it a test with the client.