OpenVPN demo setup

These instructions assume you have a running installation of OpenVPN Access Server. Also that you have installed a running instance of a MIRACL Trust RADIUS app and obtained API keys as detailed in the Setup and Installation section of these docs.

Do not confuse Client Secret with Secret!
Client Secret is one of the API keys you receive from the MIRACL Trust authentication portal, while Secret is the arbitrary secret you must specify, which is stored in both the MIRACL Trust config.json file and in the OpenVPN admin UI

MIRACL Trust SSO RADIUS setup

Open your /etc/srv-radius/config.json file and make the following adjustments.

When changes have been made to your MIRACL Trust RADIUS config it is necessary to run sudo service srv-radius restart to apply the changes

Edit the zfa section to include the client id and client secret from your app (as created in the MIRACL Trust SSO RADIUS authentication portal in the Setup and Installation section):


"zfa": {
  "global": {
    "client_id": "***********",
    "client_secret": "*****************************",
    "otp_endpoint": "https://api.mpin.io/otp",
    "max_uses": 1,
    "max_attempts": 3
  }
},

otp_endpoint should always be set as https://api.mpin.io/otp

Then, in the host section, add the IP of your OpenVPN Access Server server and the shared secret (a strong and hard to guess arbitrary string) that should also be entered in the OpenVPN Access Server admin console. Here you can also use the zfa_id parameter to allow for a non-email username. The example below will mean that you can use the first half of an '@mycompany.com' email address as your username for logging into OpenVPN (e.g. 'john' from 'john@mycompany.com'):

"host": {
  "52.xxx.xxx.xx": {
    "name": "openvpn",
    "zfa_id":"{{.UserID}}@mycompany.com",
    "authorize": [[{"ldap":"global"}]],
    "zfa": "global",
    "secret": "********"
  }
},

Note on user authentication

Note that, for the actual authentication of a user, the MIRACL Trust authentication server must receive an email address (Please see the OTP Generation menu section for an understanding of how an email address is used to register and authenticate once RADIUS/OTP is up and running). Hence the above zfa_id shows how to extract the username prefix from the email you register with as the username you will use for OpenVPN login, while still presenting the full email address to the MIRACL Trust platform for authentication purposes. Note that the zfa_id feature is only available from version 1.1.0 release 101 and above. If you are using a version older than this, you will need to use a full email address for your username.

Also note that the default config means that LDAP is effectively disabled, as the global server's LDAP method is set as none (rather than plain or tls). Therefore the above "authorize": [[{"ldap":"global"}]], is OK to use for testing a non-LDAP setup.

Do not confuse Client Secret with Secret!
Client Secret is one of the API keys you receive from the MIRACL Trust authentication portal, while Secret is the arbitrary secret you must specify, which is stored in both the MIRACL Trust RADIUS config.json file and in the PAM RADIUS config file

Finally, in the protocols section, specify the protocols you wish to be available, ensuring this includes the protocol you will specify in the OpenVPN AS admin console:

"protocols": ["pap", "chap", "mschapv1"]

Setup of Ports

Note that port 1194 (UDP) needs to be open, as does 943 (TCP), to allow use of the web UI. 443 (TCP) also should be open.

OpenVPN Configuration

In the OpenVPN Access Server admin console, go to Authentication > RADIUS and turn RADIUS on as the auth method (NOTE – make sure that the protocol you have chosen (pap or chap) is enabled in your /etc/srv-radius/config.json file for MIRACL Trust RADIUS). Add your MIRACL Trust RADIUS server IP Address and enter the shared secret. Save the settings and update the running server:

ovpn_ui1

Go to User Management > User Permissions and add a new user with your email as username (matching the email you registered with the RADIUS app in the portal in step 2. Note that no password is required, as we are using RADIUS). If you use the zfa_id parameter, you can also use just the prefix from your email address as a username. Please see earlier note on user authentication for an explanation of this. Save and update the running server:

ovpn_ui2

In order to prevent overwriting of your DNS when running the test client, you should also make sure the following settings are made:

ovpn_dns_settings

Go to the non-admin login (https://xx.xx.xxx.xx:943) url of OpenVPN:

ovpn_login

Login with your registered email and use the browser PIN pad or the MIRACL Trust mobile app to generate an OTP:

mob_genotp

Once logged in, download the openvpn config file:

ovpn_download_profile

Test Login

Now run the openvpn config file:

sudo openvpn --config client.ovpn

Login with your registered email address. You can generate an OTP by either visiting the OTP url for in-browser OTP generation, or using the MIRACL Trust mobile app to generate an OTP (see here for an explanation of in-browser/mobile OTP generation):

otp create id and create pin

You should now see that the connection has been made:

term_connected

And the connection will be visible in the Status > Log Reports section of the OpenVPN admin UI:

ovpn_logged_users

Top