Openvpn With Radius And Multi Factor Authentication
Setting up a VPN server to allow remote connections can be challenging if you set this up for the first time. In this post I will guide you through the steps to setup your own VPN Server and to connect to it using a VPN Client. Additionally I will also show how to setup a free OpenVPN server and a plugin to implement multi-factor authentication for additional security.
1. Installation OpenVPN server on Linux (using a fresh Centos Stream 9 Linux)
Accept defaults for installation of OpenVPN and at the end provide a ‘Client name’ e.g. ‘demouser’. I have chosen a passwordless client but if you want you can also add an additional password to protect your private key.
Finally a client configuration file is ready to be imported into the VPN Client.
2. Installation OpenVPN Client for Windows
Download the OpenVPN Client software from https://openvpn.net/vpn-client
Install the OpenVPN Client:
Once the installation is finished we can import the configuration file ‘demouser.ovpn’ which was generated on the OpenVPN server but before importing we need to modify the IP-address of our OpenVPN server within this file:
Normally the remote IP by default will be the address of your public IP which is normal if you have your VPN server on your local network and need remote access from outside this network. You can leave the public IP address in the config but then you will have to open up the correct port and set the routing on your internet access point.
Finally we can test the VPN connection. The first time the connection will probably fail as the firewall on the OpenVPN Linux server is blocking the access. To quickly test this we can just disable the firewall using the command:
Alternatively configure Linux firewall for OpenVPN connectivity:
Now the connection should work:
On the windows client you should now also get an additional VPN adapter configured with a default IP address of 10.8.0.2 (this subnet is defined within the file /etc/openvpn/server.conf).
3. The next step describes how to use RADIUS with OpenVPN.
First we will install the IBM Security Verify Gateway for RADIUS on a Windows machine. Documentation is available at: https://www.ibm.com/docs/en/security-verify?topic=integrations-security-verify-gateway-radius
This package can be downloaded from the IBM Security AppExchange here: https://exchange.xforce.ibmcloud.com/hub/IdentityandAccess (you will need to use your IBMid to login)
Extract and run the installation using ‘setup_radius.exe’.
Edit the RADIUS configuration file ‘c:\Program Files\IBM\IbmRadius\IbmRadiusConfig.json’:
-
Find the clients section in the configuration file.
-
The default file has three example client definitions. Delete these definitions and replace with the single definition shown above.
-
This definition will match any RADIUS client connecting from the network used by the test machines. The secret authenticates the client.
Save the file and close the editor.
Complete the fields ‘client-id’, ‘obf-client-secret’ and ‘host’ with the correct information to point to your IBM Verify Saas API.
Before we can do this we will need to setup API access in IBM Verify Saas.
Login to your environment or go for a trial account if you don’t have one : https://www.ibm.com/products/verify-identity
From the main menu select Security > API Access > Add API client
Create a new API Client :
- Specify the entitlements by selecting the check box from the list:
- Authenticate any user
- Read authenticator registrations for all users
- Read users and groups
- Read second-factor authentication enrollment for all users
- Click next on the following screens and finally give the API client a name : e.g. ‘MFA-Client’
A Client-ID and Secret will automatically be created for you. Use this information to complete the RADIUS config. Use the c:\Program Files\IBM\IbmRadius\IbmRadius.exe -obf
Finally configure the IBM RADIUS service to startup automatically and start the service:
Test RADIUS Authentication using the RADIUS tool : NTRadPing https://ntradping.apponic.com
You should get a push notification on the IBM Verify app on the mobile device.
(Make sure you test with a userid that is known in IBM Verify Saas and is enrolled for OTP)
4. Install OpenVPN RADIUS Plugin
- Login to the Linux OpenVPN server and launch the following commands:
- Copy the RADIUS plugin files to /etc/openvpn
- Edit the file /etc/openvpn/server.conf and add the following line to activate the RADIUS plugin:
- Edit the file /etc/openvpn/radiusplugin.cnf and modify the ip address of the RADIUS server and set the sharedsecret to ‘Passw0rd’ (this is the secret that was also configure on the RADIUS server side). Make sure to set ‘nonfatalaccounting=true’ because the RADIUS server does not support RADIUS accounting.
Save the file and restart the OpenVPN server using the command :
- Finally edit the OpenVPN client file ‘demouser.ovpn’ and add a line ‘auth-user-pass’:
This will allow the user to enter a username and password when initiating the VPN connection. These credentials will be authenticated against the IBM Verify Saas directory and this should result in a challenge request on the IBM Verify Mobile app. The ‘wait=60’ will allow the plugin to wait for a response from the user who has to respond to the challenge using the IBM Verify App on his phone.
If you prefer to use an TOTP challenge instead, you can modify the RADIUS configuration file on Windows (IBMRadiusConfig.json) and set the ‘auth-method’ to ‘password-and-totp’. Then you can open the client VPN connection and use ‘123456:password’ instead of the normal password.
See also : https://www.ibm.com/docs/en/security-verify?topic=server-clients
Additional resource learning material:
https://www.securitylearningacademy.com/course/view.php?id=6901