OpenVPN Demo Setup

These instructions assume you have a running installation of OpenVPN Access Server. If you are inexperienced with OpenVPN it is not recommended that you try this with a standard OpenVPN installation, as the setup is much more involved. We also assume that you have installed a running instance of a MIRACL Trust RADIUS app and obtained your keys as detailed in the Installation section.

Do not confuse Client Secret with Secret! Client Secret is one of the keys you receive from the MIRACL Trust administration portal, while Secret is the arbitrary secret you must specify and add to both the MIRACL Trust config.json file and the OpenVPN admin UI.


When changes have been made to your MIRACL Trust RADIUS config it is necessary to run sudo service miracl-radius restart to apply the changes.

Make sure your /etc/miracl-radius/config.yaml lists the correct files to include (you will need to add a hosts/openvpn.yaml file to it):

  - core.yaml
  - hosts/openvpn.yaml

Open your /etc/miracl-radius/core.yaml file and edit the mfa section to include the client id and client secret from your app (as created in the MIRACL Trust administration portal in the Installation section):

  address: :1812
  - pap
  - chap
  - mschapv1
    client_id: ''
    client_secret: ''

Then edit your /etc/miracl-radius/hosts/openvpn.yaml file. Add the IP of your OpenVPN Access Server server and the shared secret (a strong and hard to guess arbitrary string) that should also be entered in the OpenVPN Access Server admin console. For the purposes of this simple demo you can also use the mfa_id parameter to allow for a non-email username. The example below will mean that you can use the first half of an ‘’ email address as your username for logging into OpenVPN (e.g. ‘john’ from ‘’):

    name: openvpn
    mfa: global
    secret: '********'
    mfa_id: '{{.UserID}}'
    authorize: true
#    authorize:
#    - - ldap: ldap_profile

Using authorize: true on its own would mean that anybody would be permitted to attempt to login, but combining it with mfa_id: ‘{{.UserID}}’ means that only users with the @mycompany email domain are authorized. The LDAP and authorization section explains how LDAP or simple regex of email domains can be used for more detailed control of lists of users authorized to attempt to login.

Note on user authentication

For the actual authentication of a user, the MIRACL Trust authentication server must receive an email address (Please see the OTP Generation menu section for an understanding of how an email address is used to register and authenticate once RADIUS/OTP is up and running). Hence the above mfa_id enables a user to use the prefix to their email address for OpenVPN login, while still presenting the full email address to the MIRACL Trust platform for authentication purposes. For example, while you have registered with , this would enable you to log in with john.smith .

OpenVPN Configuration

Note that port 1194 (UDP) needs to be open, as does 943 (TCP), to allow use of the web UI. 443 (TCP) also should be open.

In the OpenVPN Access Server admin console, go to Authentication > RADIUS and turn RADIUS on as the auth method (NOTE – make sure that the protocol you have chosen (pap or chap) is enabled in your /etc/miracl-radius/core.json file for MIRACL Trust RADIUS). Add your MIRACL Trust RADIUS server IP Address and enter the shared secret. Save the settings and update the running server:


Go to User Management > User Permissions and add a new user with your email as username (matching the email you registered with the RADIUS app in the portal described in OTP Generation. Note that no password is required, as we are using RADIUS). If you use the mfa_id parameter, you can also use just the prefix from your email address as a username. Please see earlier note on user authentication for an explanation of this. Save and update the running server:


In order to prevent overwriting of your DNS when running the test client, you should also make sure the following settings are made:


Go to the non-admin login url of OpenVPN:


Login with your registered email and use the browser PIN pad or the MIRACL Trust mobile app to generate an OTP:


Once logged in, download the openvpn config file:


Test Login

Now run the openvpn config file:

sudo openvpn --config client.ovpn

Login with your registered email address. You can generate an OTP by either visiting the OTP url for in-browser OTP generation, or using the MIRACL Trust mobile app to generate an OTP (see here for an explanation of in-browser/mobile OTP generation):

otp create id and createpin

You should now see that the connection has been made:


And the connection will be visible in the Status > Log Reports section of the OpenVPN admin UI: