OPENVPN MULTI-FACTOR AUTHENTICATION USING UPSSO

This document provides instructions to integrate the OpenVPN SSL VPN with the UPSSO RADIUS server.

PRE-REQUISITES

To integrate UPSSO with the OpenVPN SSL VPN, below are the pre-requisites we need.

  • Administrator access to UPSSO Portal.
  • OpenVPN Access server version 2.7.X and higher
  • OpenVPN connect software version 2.7.X and higher

OPENVPN - UPSSO RADIUS NETWORK DIAGRAM

  1. User authenticated to the firewall using OpenVPN client software.
  2. OpenVPN sends an authentication request to the UPSSO Radius server.
  3. UPSSO Radius server forwards the authentication request to the IDP server.
  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  6. Radius receives authorization accept or reject method from the IDP server.
  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD OPENVPN RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.

2. Once login, go to Radius client’s section.

3. Click on the + button to add a new client.

4. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration.

CONFIGURING OPENVPN ACCESS SERVER

  1. Login to OpenVPN server by the URL Https://< IP or domain>/admin. If you are a first-time user default username is openvpn. The password you can set using ssh by running the command “sudo passwd openvpn.”

2. Once logged in, go to Configuration and VPN settings.

3. In the VPN IP network setting by default, 172.27.224.0/20 IPs are assigned. These IP are assigned to the client who is connecting to this VPN. Make sure this IP range does not conflict with your existing IP Range.

4. In the routing, the section follows the configuration as per the below screenshot. In the private section, enter the network range, which is accessible through the VPN.

5. Leave default values for DNS settings.

6. Save the configuration and update the configuration on the server.

This will enable the VPN and clients can connect to VPN using default authentication.

ENABLING RADIUS AUTHENTICATION IN OPENVPN

  1. In the OpenVPN portal goto Authentication > General.

2. In the user, authentication enables RADIUS, and the local authentication is disabled automatically.

3. In the upsso portal goto Authentication > RADIUS.

4. Configure Radius settings as per the below screenshot. In the Hostname or IP address field, enter the name of the UPPSO RADIUS server; by default, the port number is 1812.

5. Make sure the RADIUS accounting is disabled.

6. Save the configuration and update the running configuration on the server.

LOGIN TO VPN USING UPSSO MFA

  1. Login to OpenVPN portal by going to https:// <domain or IP address>. At the login prompt, enter the username and password, which is configured in the UPSSO.

2. After login, enter the challenge received by SMS, Email, or Google Authenticator in the OpenVPN prompt.

3. Once logged in, download and install the required client according to your operating system.

Note:  Please download the client as highlighted as the new client has issues presenting the RADIUS challenge.

4. One installed open the OpenVPN connect software from the programs.

5. Enter the username and password as per the UPSSO login. In this tutorial, we are using the LDAP credentials, which integrates into the UPSSO server.

6. After entering the credentials, the VPN client prompt for the access challenge.

7. Once challenge authentication is successful, you connected with the VPN network.