OpenVPN Demo Setup

These instructions assume you have a running installation of OpenVPN Access Server. If you are inexperienced with OpenVPN, it is not recommended that you try this with a standard OpenVPN installation, as the setup is much more involved. We also assume that you have already registered in the MIRACL Portal and have created a MIRACL Trust RADIUS app to obtain API keys as detailed in the Installation section of these docs.

Do not confuse Client Secret with Secret! Client Secret is the OIDC Client Secret of the MIRACL Trust API and Secret is the arbitrary secret that must be specified both in the MIRACL Trust RADIUS Server config.json and the OpenVPN admin UI so they can authenticate to each other.

# MIRACL Trust RADIUS setup

For new settings to take effect, the service needs to be restarted.

Make sure your /etc/miracl-radius/config.yaml lists the correct files to include (you will need to add a hosts/openvpn.yaml file to it):

includes:
  - core.yaml
  - hosts/openvpn.yaml

Open your /etc/miracl-radius/core.yaml file and edit the mfa section to include the client id and client secret from your app (as created in the MIRACL Trust administration portal in the Installation section):

server:
  address: :1812
protocols:
  - pap
  - chap
  - mschapv1
mfa:
  global:
    client_id: ''
    client_secret: ''

Then edit your /etc/miracl-radius/hosts/openvpn.yaml file. Add the IP of your OpenVPN Access Server server and the shared secret (a strong and hard to guess arbitrary string) that should also be entered in the OpenVPN Access Server admin console. For the purposes of this simple demo you can also use the mfa_id parameter to allow for a non-email username. The example below will mean that you can use the first half of an ‘@mycompany.com’ email address as your username for logging into OpenVPN (e.g. ‘john’ from ‘john@mycompany.com’):

host:
  52.xxx.xxx.xx:
    name: openvpn
    mfa: global
    secret: '********'
    mfa_id: '{{.UserID}}@mycompany.com'
    authorize: true
#    authorize:
#    - - ldap: ldap_profile

Using authorize: true on its own would mean that anybody would be permitted to attempt to login, but combining it with mfa_id: ‘{{.UserID}}@mycompany.com’ means that only users with the @mycompany email domain are authorized. The LDAP and authorization section explains how LDAP or simple regex of email domains can be used for more detailed control of lists of users authorized to attempt to login.

# Note on user authentication

To generate OTP users need to register first. Registration is outlined in the OTP Generation page. Authentication to OpenVPN client could be done using a user identifier and not an email. This is achieved using the mfa_id configuration option of the MIRACL Trust RADIUS Server which transforms the email to user identifier.

# OpenVPN Configuration

Note that port 1194 (UDP) needs to be open, as does 943 (TCP), to allow use of the web UI. 443 (TCP) also should be open.

In the OpenVPN Access Server admin console, go to Authentication > RADIUS and turn RADIUS on as the auth method (NOTE – make sure that the protocol you have chosen (pap or chap) is enabled in your /etc/miracl-radius/core.json file for MIRACL Trust RADIUS). Add your MIRACL Trust RADIUS server IP Address and enter the shared secret. Save the settings and update the running server:

ovpn_ui1

Go to User Management > User Permissions and add a new user with your email as username (matching the email you registered with the RADIUS app in the portal described in OTP Generation. Note that no password is required, as we are using RADIUS). If you use the mfa_id parameter, you can also use just the prefix from your email address as a username. Please see earlier note on user authentication for an explanation of this. Save and update the running server:

ovpn_ui2

In order to prevent overwriting of your DNS when running the test client, you should also make sure the following settings are made:

ovpn_dns_settings

Go to the non-admin login https://xx.xx.xxx.xx:943 url of OpenVPN:

ovpn_login

Login with your registered email and use the browser PIN pad or the MIRACL Trust mobile app to generate an OTP:

mob_genotp

Once logged in, download the openvpn config file:

ovpn_download_profile

# Test Login

Now run the openvpn config file:

sudo openvpn --config client.ovpn

Login with your registered email address. You can generate an OTP by either visiting the OTP url for in-browser OTP generation, or using the MIRACL Trust mobile app to generate an OTP (see here for an explanation of in-browser/mobile OTP generation):

otp create id and createpin

You should now see that the connection has been made:

term_connected

And the connection will be visible in the Status > Log Reports section of the OpenVPN admin UI:

ovpn_logged_users